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PREFACE 



This book contains the proceedings of EURO CRYPT 84, 
held in Paris in 1984, April 9-11, at the University of Paris, 
Sorhonne . 

EUROCRYPT is now an annual international European 
meeting in cryptology, intended primarily for the international 
community of researchers in this area. EUROCRYPT 84 was 
following previous meetings held at Burg Feuerstein in 1982 
and at Udine in 1983. In fact EUROCRYPT 84 was the first 
such meeting being organized under IACR (International 
Association of Cryptology Research). Other sponsors were 
the well-known French association on cybernetics research 
called AFCET, the LITP (Laboratoire d ' In format ique theorique 
et de Programmation) , which is a laboratory of computer 
science associated with CNRS , and the department of mathematics 
and computer science at the University Rene Descartes, Sorbonne. 

EUROCRYPT 84 was very successfull, with about 180 
participants from a great variety of foreign countries and 
close to 50 papers addressing all aspects of cryptology, 
applied as well as theoretical. It also had a special feature, 
i.e. a special session on smart cards particularly welcome 
at the time, since France was then carrying on an ambitious 
program on smart cards. 

EUROCRYPT 84 was a great experience. We like to thank 
all the sponsors and all the authors for their submission 
of papers . 
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ABSTRACT 



Complexity Theories have recently been proposed as a basis for evaluation of crypto 
machine performance. They are compared to Shannon's model. They shed a new highlight 
on randomness notion. But it is stressed that tho statistical point of view remains 
the more secure. 
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CRYPTO LOGY AND COMPLEXITY THEORIES 



Complexity theories have recently been proposed as a basis for evaluation of the 
cryptographic system performance- We will present in this short survey, the differ- 
ent approaches used to connect these two notions. 

The complexity theories are rather new and their motivation is the analysis of al- 
gorithm efficiency. Their main characteristic is that they are very general theories 
that deal with very general algorithms; their most concrete result give some inform- 
ation about asymptotical behaviour of algorithms. 

The central problem of cryptology is the evaluation of security of secrecy system, 
that is to say how a system is immune against a cryptanalysis. When this cryptanaly- 
sis is possible such an evaluation must measure how much time and informations are 
required to get the solution . 

1 . The model of Shannon 

The first mathematical treatment of this problem was achieved by Shannon 1 in the for- 
ties. His theory allowed to formalize the problem properly. As a conseguence hp could 
give some guidelines for designing secrecy systems. 

The Shannon approach is based on a probabilistic model, the core of the theory is the 
evaluation of the probabilities of clear-texts. There are two main parameters : 

- the a priori probability of clear-texts: P(m) 

- the conditional probability P(m/c) of the clear-text m when the cryptogram c is in- 
tercepted. 

The main concept defined by Shannon is the "perfect secret": a crypto system is a per- 
fect secret when P(m) = P(m/c), Vm,c. So the knowledge of a cryptogram gives no inform- 
ation about the clear-text: cryptanalysis of such system is impossible. 

But perfect secrecy has limitations: it requires a number of keys as least as great as 
the number of clear messages. This means that the keys must be as lonq as the messages 
So, it is obvious that these systems are impracticable except in particular situations 
because keys must be exchanged over a secure channel. 

In practice, most systems have finite keys. How to characterize the security of those 
systems ? Shannon showed that for these systems, there exists a minimum length of the 
messages, called "unicity distance", for which the cryptanalysis has a unique solution 
This distance exists because of the redundancy of the languaqe which the clear texts 
belong to. 

In that case the solution can be found by tryinq all the different keys: the key which 
gives a likelihood clear-text is the good one. If the number of trials is too large, 
this exhaustive search must be considered as impossible: cryptanalyst is hoped not to 
have enough time to find the solution. 

But how to be sure that all these trials a re' necessa ry? The complexity theory of al- 
gorithms is an attempt to answer this question. 

2 . The complexity of algorithms 

2 

This theory tries to give a measure of the difficulty to solve a problem -Generally, 
an alqorithm which solves a problem defines a computation which reguirns two types 
of ressourcos: time (cr number of stens of computation) and space (or memory to stn- 
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re informations used by the computation). These define complexity measures. The com- 
plexity is a function of the length of inputs of the computation. 

Let us recall the main results of complexity theories. In a universal computational 
model (for example the Turing machines) , a hierarchy of functions is defined, accord- 
ing to the time complexity, that is to say, the number f(n) of computation steps. 
Complexity classes are defined in accordance with the increasing rate of n, the in- 
put length . 

For example we have the following classes : 
linear : f(n) 
polynomial : f (n) 
exponential : f'(n) 
. etc . . . 

The notation 0(a) means that the asymptotical value is proportional to a. 

It is generally considered that a problem the complexity of which is at least expo- 
nential is intractable, in the sense that there is no practical algorithm to solve it 
On the other hand polynomial time complexity is often identified with practical com- 
putability. (There is no clear cut off for the degree of polynomial time bounds). So 
it is important to distinguish polynomial time algorithms from exponential ones. 

A new notion is needed: polynomial time reducibil ity . A problem A is polynomial time 
reducible to B if there is a total computable function f, computed in time bounded 
by a polynomial in length of input x, such that : 

A(x) = B (f (x) ) , Vx. 

A has been polynomially reduced to B. Another notion is tho relative completeness: 
let B a problem in a collection C of problems. If every A in C. is polynomially re- 
ducible to B, B is said C-hard, and if B belongs to it is said '.'-complete. So, 
in a sense, C-complete problems are the hardest or the most difficult in C. 

3 . The NP-completeness 

To search intermediate classes between the polynomial and exponential ones, non- 
deterministic algorithms have been considered. In these algorithms several instruc- 
tions may be applicable at any point in the computation. Anyone of these instructions 
may be chosen. 

So non-deterministic algorithms define as much computations as possible choices, and 
at least, one of them leads to the solution. So if the machine "guesses" the solution 
it chooses the good computation, if the machine cannot guess the solution, it has to 
try all the possible computations which, generally, are in exponential number. 

The class of algorithms solvable by a polynomial time algorithm is called P; the 
class NP consists of the problems solvable by i non-deterministic algorithm in po- 
lynomial time (the machine is supposed to guess the solution). 

It is very important to know the relationship between P and NP. This problem is one 
of the most important in the theory of computation. 

To day, the situation is not very clear. It is qenerally aqreed that P is properly 
contained in NP. If it is so, NP should be a good intermediate between P and 



= 0(n) 
= 0(n a ) 
= 0(2") 
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difficult problems. An other class is very interesting: CO-NP . It consists of problems 
whose complementary problems are in NP (it is supposed that these problems are of type 
"yes-no" and complementary problems are "no-yes", it is not known if NP = CO-NP. Under 
the hypothesis CO-NP ^ NP, the NP-complete problems are not in the intersection of NP 
and CO-NP. So they are more difficult that those in NP h CO-NP. For example, the com- 
posite numbers problem belongs to NP ft CO-NP. But if any NP-complete problem is in the 
intersection of NP and CO-NP , then NP = CO-NP. 

G. Brassard' showed that if some one-way function f exists, then P is properly 

contained in the intersection of N and NP, and if f - ' is NP-haro, then NP = CO-NP 

A function is one-way if it is easy to compute (f f P) and f" : is difficult (f~ l £ P) . 

Now it is obvious that encryption and decryption operations are in P, since they 
generally are in linear time ".But the decipherment is a non-deterministical cryp- 
tanalysis since the good key is guessed. 

Now we arrive at the main question: Is the cryptanalytic problem NP-complete ? If it 
is so, there would be evidence that it is intractable. 

From a very general point of view the cryptanalytic problem amounts to solve a boo- 
lean equation, whose the unknown are the bits of the key. This problem is NP-comple- 
te. 

Surely, the cryptanalysis of a specific cryptomachine is not NP-complete, because it 
is a particular boolean equation. But there is no reason to find a specific algorithm 
for this machine. This would mean that the cryptomachine would have some particulari- 
ties usable by a specific algorithm. So the first guideline for designing a crypto- 
system is the absence of any logical particularity. 

However it must be stressed that complexity theory must be applied to cryptanalysis 
very cautiously: 

- the computational theory deals with worst cases and a highly complex function may 
be easy to compute almost always. 

- in cryptography an exact solution is not needed, and some NP-complete problems are 
known to have good approximate solution to compute. 

- the crytanalysis may have enough auxiliary information so that he is able to solve 
the problem even if it is NP-complete 5 . 

4. The complexity of sequences 
Let us examine another point of view. Instead of analyzing the machine itself, what 
can be said about the output sequence produced by the machine ? 

The lack of any logical particularity of the machine must find expression in the 
structure of the output which must look like a random sequence. 

According to Kolmoqorov 6 and Chaitin 7 the complexity I of a sequence S is the 
length of the shortest program P such tnat a computer C which accepts P as input, 
produces S as output, it can be shown that this complexity is independant of C. 

This complexity measure has some important properties : 

- the complexity of a sequence K ic. at most of thr length of S, because it is always 
possible to describe S by exhibiting it; such a program is of the length of S. 

- the complexity of most of the sequences of length k is about k. For example for n 
large enough, 99,8% of all sequences of length n, have a greater complexity than n-IO. 

Now we can define an a Igor i thmica 1 ly random sequence. It will be noted: A - random . 
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Roughly a sequence is A - random if its complexity is of about its length. More 
precisely, a sequence S of length n is t-A-random if its complexity is greater than 
n - t. 

But there is no algorithm to decide if a sequence is A-random. However when n is 
large enough the probability that a sequence of length n is A-random is close to 
one. So if a sequence is defined by tossing a coin, the probability that it is 
A-random is close to one. 

The main interest of this theory is to establish connexions between complexity and 
randomness. As a consequence, it justifies that if the output of a crypto-machine 
is A-random, then the machine has not logical particularity and the cryptanalysis is 
probably hard. 

By chance, A-randomness is consistent with probabilistic definition: if a sequence 
is A-random then, it is statistically random. But the converse is not true: some 
sequences that are statiscally random are not A-random s .This means that statistical 
tests, although they cannot decide if a sequence is A--andom, are a good approxima- 
te algorithm to decide randomness: if a sequence is not statistically random, then 
it is not A-random. 
5. The apparent complexity 

But in fact, the sequence S produced by a cryptomachine is known to have low com- 
plexity, of the order of the length of the key K: for each clear-text m, we have 
the equation : 

S = f m (K). 

As it is enough to consider clear-text m of Length of unicity distance the complexi- 
ty of S is the one of K. But for every m, f m _1 must be difficult (every f m is one- 
way) so that it is infeasible to solve in K this equation. To find K is equivalent 
to find a program which qenrates S. This leads to a new notion: the apparent comple- 
xity I A , which aims at measuring the diffiulty to complete f m ~ I . Different measures 
of I A have already been proposed 9 ' 10 and are deduced from the structure of the 
sequence itself. We can now define apparent-randomness: a sequence is apparent ran- 
domn if its apparent complexity is maximum (generally of the order of its length) . 

Let u:. observe that generally if S is A-random, it is appa rent -random . Let us suppose 
that Ift(S) is defined by the shortest program P g such that on the computer C, the 
output of p q is K : 

=> S =- f m (K) 

If S is not apparent-random, the length 4(Pg) of P s must be very short compared to 
the one of S. 



The computer C can compute S from a proqram for f m and K : 

S = C (f m , K). 
Let X(S) the complexity of S. 

Then X (S) = H(f m ) + ?.(K> « UK) for K is larqe enough. So: V.(K) =* I IS) . But 

S = C{f m , C(P q )); so: X(S) as ? . (P s ) « J?(S) that is impossible if S is A-random. 



So the complexity notion can be approximate by algorithm, statistics, and apparent 
complexity. The corresponding notions of randomness are related in the followinq 
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way 




1 : Apparent-random sequences 
2: Statistical random sequences 
3: A-randora sequences. 



The only effective algorithm is the statistical tests, and the problem is to define 
adequate statistical tests for randomness; and this question is far from being clear 
to day . 



6. Conclusion 

To conclude the application of complexity theories to evaluation of crypto machines 
leave much to be desired. Every theory has its pitfalls and shortcomings. Much 
remains to be done to achieve this goal. 

However every theory provides complementary point of view on the subject. But to day, 
none of them gives any useful tools to evaluate the security of crypto machines, and 
tell now, statistical tests remain the most trustful evaluation. 
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ON CRYPTOSYSTEMS BASED ON POLYNOMIALS 
AND FINITE FIELDS 



R. Lidl (University of Tasmania, Australia) 

ABSTRACT 

In many single-key, syttmetric or conventional crypto systems the 
elements of a finite field can be regarded as the characters of a plaintext 
and ciphertext alphabet. Some properties of polynomials or polynomial 
functions on finite fields can be used for constructing cryptosystems . 
This note demonstrates by way of examples that great care has to be taken 
in choosing polynomials for enciphering and deciphering. Often complex 
looking polynomial functions induce very simple permutations of the 
elements of a finite field and therefore are not suitable for the 
construction of cryptosystems. Also an indication is given of some 
further areas of research in algebraic cryptography. 

1. BINOMIALS 

There are several examples of cryptosystems that involve polynomials 
and finite fields; see e.g. [1], [4], [6], [8]. We have to confine our 
choice of polynomials to a relatively small class of polynomials because 
of two reasons: the polynomial f(x) should induce a permutation of the 
elements of a finite field F q ; that is f: F^ -+ F q , a -»■ f(a) should be a 
permutation. Polynomials f(x) with this property are called permutation 
polynomials. Second, the inverse of f should be easy to compute for 

deciphering purposes by the authorized receiver. These two requirements 

of f considerably narrow the choice of polynomials. 

Monomials x have been studied repeatedly as to their suitability for 
cryptography. In public-key (asymmetric) cryptosystems the RSA scheme 
uses the corresponding polynomial functions as enciphering and deciphering 
functions modulo an integer n. Some conventional exponentiation ciphers 
use the difficulty of calculating discrete logarithms for finite fields. 

We consider binomials for conventional cryptosystems and show that 
their usefulness is very limited. Let 

(1) f(x) = ax k + bx 

where k > 2 is fixed independently of a prime power q. Niederreiter and 
Robinson [13] showed that no binomial of this form is a permutation 
polynomial of F q for sufficiently large q. In detail: 

T. Beth, N. Cot, and I. Ingemarsson (Eds.): Advances in Cryptology - EUROCRYPT '84, LNCS 209, pp. 10-15, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 
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THEOREM f[23L p. 209). Let k > 2. Then: 

(i) if k is not a ■prime power, then for all finite fields F 

2 2 " 

with q > (k -4k+6) there is no permutation polynomial of 

Fq of the form (1) over F^ with ab * 0, 

(ii) if k is a power of the prime p, then for all finite fields 

2 2 

Fq with q > (k -4k+6) and characteristic not equal to p 
there is no permutation polynomial of F^ of the form (1) 
over F with ab * 0. 

k i 

This result can be generalized to polynomials of the form ax + bx J e 
ab * 0, 1 s j < k, see [13, p. 211]. Again, for sufficiently large q 
none of these binomials is a permutation polynomial of F q . 

Since the above results hold for k being independent of q, let us 
consider the situation where k is of the form (q+l)/2, q odd. Then the 
family of polynomial functions in F [x] of the form 

(2) f(x) = ax (q+1)/2 + bx 

is closed under composition. It is easily verified that for two polynomials 
f^x) = a i x( q+1 ) /Z + b.jX, i = 1,2, we have 

(f x o f 2 )(x) = f 1 (f 2 (x)) = (a 1 c+b 1 a 2 )x (q+1)/2 + (a^+b^Jx (mod (x q -x)), 

where c + d = (a 2 +b 2 ) (q+1)/2 and c - d = (b 2 -a 2 ) (q+1)/2 . Thus it is possible 
to easily find the inverse g(x) of a given polynomial f(x) of the form (2) 
from f(x) o q(x) = x, g(x) o f(x) = x. In [13] it is shown that a polynomial 
f(x) = x^ q+1 " 2 + bx e F q [x] is a permutation polynomial of F q if and only if 
b 2 - 1 is a nonzero square in F q . So it appears that polynomials of the 
form (2) may be suitable candidates for enciphering functions in a 
cryptosystem. We note, however, that the mappings of F q into itself which 
are induced by permutation polynomials (2) are very simple, since 
f(s) = (a+b)s for a square s e F q and f(t) = (b-a)t for a non-square t e F q . 
Therefore the mapping f is linear on the squares or non-squares of F . 

It may be fruitful to study binomials on the integers mod n and use them 
in RSA type cryptosystems instead of monomials x . 
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2. CHEBYSHEV POLYNOMIALS OF THE SECOND KIND 

Several generalizations of the RSA cryptosystem have been suggested 

based on different enciphering functions; see [I], [9] and [12]. 

In some of these papers Chebyshev polynomials of the first kind (or Dickson 

polynomials, as they are called in an algebraic/number theoretic context) 

and their multivariate generalization play a central role. Here we 

consider Chebyshev polynomials of the second kind as to their suitability 

for constructing cryptosystems over F . The Chebyshev polynomial f t (x) 

q k 

of the second kind is defined by 

* / \ Lk v 2 ^ /k-i w ,,i k-2i 
f k (x) = I { ; )(-!) x 

K i=0 1 

We note that f k (x) is a polynomial of degree k with integer coefficients. 
Alternative ways of defining the polynomials f k (x) are by recursive 
equations 

f k+2 (x) - xf k+1 (x) + f k (x) = 0 with f 0 (x) = 1, f : (x) = x ; 

or by the functional equation 

f k (x) = (u k+1 - u-^h/Cu-u- 1 ) 

where x = u + u~* and u * ±1, 

f k (2) = k + 1 and f k (-2) = (-l) k (k+l). 

The following result gives sufficient conditions to ensure that f k (x) 
induces a permutation of F^. Let q = p e , p an odd prime. 

THEOREM (Matthews ill}). The polynomial fyx) is a permutation polynomial 
of if k satisfies the congruences 

(3) k + 1 = ±2 (mod p) , k + 1 H ±2 (mod Ss(q-l)), k + 1 = ±2 (mod »s(q+l)). 

Proof idea. Let S be the subset of F , consisting of all solutions of 

2 9 
equations of the form x - ax + 1 = 0, a e F q . Then 

= {u e F ? |u q_1 = 1 or u q+1 = 1}. The integer k must be odd, since either 
q 

%(q-l) or *s{q+l) is even. Thus f k (-x) = fw(x). Let u e F g and 

u 2 - xu + 1 = 0. If u q_1 = 1, then u ^ q "^ = ±1. Now, if q u^' 1 * = 1, 

then u k+1 = u 2 or u k+1 = u" 2 , since k + 1 s ±2 (mod Js(q-D). 

Therefore f k (x) = (u 2 -u" 2 )/(u-u" 1 ) = u + u" 1 = x, or f k (x) = -(u+u" 1 ) = -x. 

The remaining cases u ^ q- ^ = -i, u q+1 = 1 and u = ±1 are treated similarly. 
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It follows that f k is its own inverse: 

(f k o f k )U) = f k ( f k (x)) = *> whenever k satisfies (3). 

Here the composite f k (f k (x)) is reduced modulo - x. This would be a 
suitable property for a symmetric cryptosystem with secret key k. 
The above proof, however, shows that the mapping of into itself 
induced by a permutation polynomial f k (x) is not very complex at all, 
since f k (-a) = -f^U) and f^U) = a or -a for each a e F q . So the 
complicated enciphering function induces a simple permutation of F . 

3. COMMUTING POLYNOMIAL VECTORS 

In order to implement digital signatures it is useful if the 
enciphering function E and the deciphering function D commute with respect 
to substitution; that is E o D = D o E. If E- and are the enciphering 
function and deciphering function, respectively, of person i then these 
functions are easy to handle if we require 

E i oE j = E j oE i' E i oD j sD j oE i' D i oD j =D j oD r 

This leads to studying aormtuting or permutable polynomials. In [9] all 
possible classes of commuting polynomials in one variable were determined 
according to their suitability in RSA-type cryptosystems . Because of the 
following result, the classical Chebyshev polynomials T n (x) of the first 
kind are of special interest. Bertram showed (see e.g. Rivlin [15, p. 161]) 
that over an integral domain R of characteristic zero, if n a 2 and the 
polynomial f(x) of degree k a 1 commutes under substitution with T n (x), 
then f(x) = "^(x) if n is even and f(x) = ±T k (x) if n is odd. (A similar 
result holds if char R = p) . A two-dimensional generalization of this 
theorem was derived in [9]. We say that two polynomial vectors (f^^) 
and (gpg 2 ) in R[x,y] 2 commute if 

(fx^x^)' f 2(9i«92)) = (g^fp^' g 2^ f l* f 2^ ' 

In short 

(fpfg) o (gj.gg) = (g 1 »g 2 ) 0 {^i^2^- 

1° [8]. [9] or [10] a two-dimensional generalization of the Chebyshev 
polynomials T n (x) is presented in terms of a polynomial vector 
(g k (x,y), g^(x.y)) or (g k >g~ k ) for short. Let R be an integral domain of a 
characteristic that does not divide n a 2. Then the following generalizes 
Bertram's result: 
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THEOREM f[7]j. If f e CR{x,y}) 2 is of degree k 2 1, then f aorrmutes 
with (g n ,g n ) if and only if f is of the form 

2— — 2 

f = (ag kJ a or f = (ag^a. g k ) . 

where a = 1 if n % I (mod 3) or a? = 1 if n = 1 (mod 3). 

In the one-variable case all classes of commuting polynomials (so-called 
permutable chains) have been determined (see e.g. Lausch and Nobauer [5] and [9]). 
The corresponding classification in the case of polynomial vectors in two 
variables is still an open problem. The Theorem above is a first result in 
this direction. Commuting polynomial vectors can be used for digital 
signatures analogous to the one-dimensional situation described in [9]. 

4. FURTHER PROBLEM AREAS 



Brawley, Carlitz and Levine [2] have determined the polynomials 
f(x) e F qM which permute the set of nxn matrices with entries 

in F q under substitution, that is f : F q nxn + F q n * n , A — * f(A) is a permutation 
of matrices. 

TBEOEEM ([2]). The polynomial f(x) e F [s] is a permutation polynomial 
of F^ nXn if and only if 

(i) f(x) is a permutation of F ^ 1 s r <. n; and 

(ii) f'(x) does not vanish on any of the fields F^... 3 F \n/Z\ 

Such permutation polynomials could be used for enciphering plaintext 
messages which are arranged in matrix form. A first step would be to 
determine specific polynomials f(x) which are suitable as enciphering 
functions of such cryptosystems . 

A different problem area is concerned with the study of iterative 

roots of functions over finite fields. The iterates of a function 

g : Fq ■* F^ are defined inductively by g°(x) = x and g n (x) = g(g n "*(x)), n > 0. 

If f is another function on F , with the property g n = f, n > 2, then g is 

called an iterative root of order n of f or an nth iterative root of f . 



In [3] the existence of iterative roots of f are investigated for special 
types of functions, such as linear functions, power function x and 
Chebyshev polynomials of the first kind. Apart from theoretical existence 
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theorems (developed in [3]) it could be potentially useful in cryptography 
to explicitly determine iterative roots of given functions. Our interest 
in this topic arose from the question: "When is f(f(z)) = az + bz + c for 
all complex numbers z ?" Rice, Schweizer and Sklar [14] showed that the 
answer is: never. 
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1 . Introduction 



Various methods are being applied to design cryptographic systems. 
There is, however, a cryptosyatem class which can be defined by means 
of peculiar algebraical structures. They are injected in a vector space 
which is spanned over idempotent elements of an algebraical ring. 

The purpose of the work is presentation of mathematical tools which 
may be adapted to project a wide class of cryptosy stems. Let Z N be a 
ring with addition and multiplication modulo N where N=pp..p n and 
is prime for i=1 , ...,n. Now, let us take into account an integer x€ Zjj 
Then, we can determine the sequence of integers in the form 

(x 1f ...,z n ) (0 
while x^=x (mod p^j for i=1,...,n and P^Pj for iyj. On the other hand, 
we define the integer 

LCM( Xl , . . . ,x n )=LGM (x, (mod p, ) , . . . ,3^ (mod p Q )) = j[x, j ... ;x n J (2) 

where LCU stands for the least common multiple. The vector {[x^ ;x n J 

n 

belongs to the ring © Z_ in which addition and multiplication are 

i=1 p i 

given as follows: 

fx, ; . . . ;xj + j[y 1 ; . . . jyj ^ +y , (mod p, ) ; . . . ;x n +y n (mod p n )J 

flx, ; . . . ;x n | Jy, ; . . . ;y n J =|[x iyi (mod Pl ) ; . . . ;x n y n (mod p n )J 

As is known 121, the rings and © Z_ are isomorphic, so 
n " i=1 p i 

Example 1 : 

Let us take into account the ring Z^q and p 1 =2, P2=3, Pj-5. If x=1 7, 
then 

x=[[l7(mod 2>;17(mod 3);17(mod 5)1 = IE 1 '> 2 > 2 1 e Z 30 
The original value of x can be calculated according to the following 
expression: 

LC«(l ,3,5,7,9,11 ,13,15,17,... ;2,5 ,8, 11 , U, 1 7, . . . ;2,7, 1 2, 1 7, • • . ) =17 
For the elements x=17 and y=22, we can find 

x+y = 17+22 = 9 (mod 30)»JQ ;2;2]J + f[0;1 ;2j = [l ;0;4j 

xy = 17-22 = H(mod 30) = 0 ;2;2j [0; 1 ;2]=[[0;2;4]] 

n 

From all elements of" the ring © Z_ , we choose 

i=1 p i 

e^lDjOjO; ... ;0;0]] 

e 2 =|[0;1;0; ... ;O;0]] ^ 
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Vectors (i=1,...,n) are also called basic idempotent elements. They 

have the following properties: 

PR1 . y~ ef = e i 

i=1 , . . . ,n 
PR2. e 1 + ...+e n = 1 (mod N; 

PR3. A/- e^e. = 0(mod n) 

PR4. x ^(x, ;...;xj|= ^x ei = x^Onod N) 

PR5. A sum of arbitrarily chosen basic idempotent elements is an 
idempotent one. 

Example 2: 

There are three basic idempotent elements in the ring Z^ Q , namely 
e, =D;0;Oj= 15 
e 2 =[[0;1;qj]= 10 
e 3 =[0;0;1]]= 6 



2. Algebraical structure of public key cryptosystems 

In this point, we present two public Key cryptosystems, namely the 
Rivest-Shamir-Adleman cryptosystem (RSA system) and the cryptosystem 
based on the knapsack problem (Uerkle-Hellman cryptosystem) . Both 
cryptosystems are being designed by means of suitable algebraic rings. 

Authors of the RSA system [53 proposed the cryptographic functions 
in the form 

c = (m)= m^mod N) (4) 

m = D k *(c)= c k (mod N) (5) 

where m,c,k,k' represent a message, a cryptogram, a public key, and a 

secret key, respectively, and N=Pj...p n (p^ are different primes for 

i=1,...,n) determines the ring in which cryptographic transformations 

are being carried out. In order to find the original message at the 

receiver's side, the following congruence must be fulfilled: 

D k (c)= D^E^m}) = c k '= 111**'= m(mod N) (6) 

As a result, we get the congruence in the shape 

m kk'-1 _ , ( mod N ) ^ 

Transforming (7) , we obtain 

Thus, we have the sequence of congruences given by 

mj**'" 1 = 1 (mod p i ) for i=1,...,n (9) 
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As is known [2], the sequence of congruences has a solution when 

V- (kk'-l)|( Pi -1) (10) 

i= 1 1 . . . ,n 

So the integer (kk'-l) must fulfill the equation 

kk'-l = LCU (p 1 -1 ,...,P n -l)=X(N') 01) 

Since, in the RSA system, the integer k is chosen randomly from all the 

elements of set Z^, the integer k' is calculated at the receiver's side 

according to the following congruence 

kk' = l(mod A(N)) (12) 

Now, let us take into account an unauthorized user (uu) who 

observes both a cryptogram and a public key, and additionally knows the 

the cryptographic transformations and the value of integer N. When he 

wants to obtain the message from the cryptogram, he may employ two 

approaches. The first one relies on the factorization of N into primes 

as the UU can find -MN)and finally decipher the cryptogram. If the UU 

additionally knows that n^3, then he may use the Pollard method C4-3 to 

carry out the factorization of N. This method requires o(p^) elementary 

processing operations where p is the smallest among all the primes p^» 

i=1,...,n. Hence, in the RSA system, one chooses the integer N in the 

form N=PjP2 where Pj and p 2 are of the same order since the Pollard 

method turns out to be not efficient for N of the order of a decimal 

integer composed of 200 digits. Thus, A (N) may be written as 

A(N)= LCM( Pl -1 ,p 2 -l) (13) 

At last, let us notice that difficulties in breaking the cipher for the 

RSA system result from the fact that the ring © Z cannot be deter- 

i = 1 i * 

mined easily by the UU when he knows only the ring Z N . 

We are now going to describe a cryptographic system that is based 
on idempotent elements. This cryptosystem similarly to the Merkle- 
Hellman system C1] (HH system) is used to encipher binary messages. I«t 
us assume that the initial condition of that system has been defined by 
the choice of n primes P j ,...,p Q and let N=p 1 ...p n . Thus, in the ring 
Z^, there exist n basic idempotent elements of the form 

t,*|D}0;...;0]| ... e n =|p;0;...;lj 
Similarly as in the MH system, we convert elements e^ according to the 
congruence 

*i = e i a ( mo< ^ <l) » i=1,.-.,n (14) 
n 

where q> ST e^ (q is a prime), integer a i3 randomly chosen from the 

set Z q , and the sequence k= (kj , . . . ,k n ) represents the public key. At 
the transmitter, there is generated a cryptogram for a message m= 
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(m^ , . . . ,m n ) . It is generated according to the expression 

c = Si. k. - i; m. k- (15) 
j=1 j j j=u+1 j j 
where the subset ^m^ ; j=1,...,uj is create arbitrarily by the sender. 

At the receiver s side, the cryptogram is processed as follows: 

c' = c a" 1 (mod q) (16) 

Substituting (15) into (16), we get 
u n 

Z> £ e- - Z! m i e i ( mod <l) 07) 
j=1 0 J j=u+1 j j 

Since under the sign of absolute value, we may have both the positive 

and negative values , we get two integers c ' and c " obeying the 

congruence (17) , where 

c" = q - c' (18) 

Using c * and c " , we find two sequences 

c '— *■ (cf, • . . »c^) where c£ = c ' (mod p^) ; i=1,...,n 

c "■— »• (c" , . . . ,c*) where c£ = c~(mod p^) ; i=1,...,n 

One of the sequences given above is the message we are looking for* As 

it has been proved in C3J , one can find such a transformation (1 4) that 

one of these sequences will already be rejected at the beginning of 

deciphering process. 

It is noteworthy that the cipher considered is based, similarly to 

the MH system, on the knapsack problem. Hence, it has advantages and 

drawbacks similar to that system. Nevertheless, compared to the MH 

system, the cryptosystem based on idempotent elements has two additional 

advantages, namely it: 

- decreases the redundancy of cryptograms, 

- makes the knapsack problem much more difficult to solve. 

We should also point to the flexibility of the considered system as it 
allows to encipher messages represented not only by binary sequences. 

Giving our attention to algebraic properties, we may state that 

n 

constructions of two rings Z N and © Zp are kept secret since their 
disclosure may allow to discover the "clear message. In order to protect 
the rings, we have injected idempotent elements into the field Z^. 

Of course, the cryptosystem with idempotent elements can be treated 
as modification of the MH cryptosystem. Nevertheless, considering these 
cryptosystems, we may notice what influence over quality of a crypto- 
system has determination of its algebraic, structure. In the MH system, 
a vector of integers (d 1 , .. . jd^ (where J 2d i <dj for j=2,...,n) 
creates the initial condition (the vector space) of the cryptosystem. 
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But this simple vector apace stands in the way of flexible creation of 
cryptograms. Situation is quite different when we deal with the crypto- 
system based on idempotent elements. 

3. Algebraic structure of cryptographic transformations which preserve 
arithmetic operations 

In many situations, processing tasks may be performed using only 
two elementary arithmetic operations (addition and multiplication). 
Also input messages (integers) are required not to be accessible to the 
UU while they are being not only transmitted over the channel but 
processed in the computer system as well (see Fig.l) . So the crypto- 
graphic transformation which preserves the arithmetic operations (also 
called cryptomorphism) has to fulfill the following conditions: 
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Fig. 1 . Application of cryptomorphisms 

C1. y- f(m'+m* ,k> f(m',0 + f (m* ,k) 

C2. SJ- t f (m'm" ,k)= f (m'.k) • f (m" ,k) 
i'in"6H 

C3. -V- + A/- f (dm,k)= d f (m,k) 
d€Z melt 

for a fixed key k£K , where M,K and Z + are sets of messages, keys, and 
positive integers, respectively, and f is a cryptomorphism. The 
simplest form of such a cryptomorphism takes the shape 

c = f(m,k)= mk (19) 
while m£M, k £K, c€C (c is the set of cryptograms), and MjK.CCZjf 
(*=Pj...p n ; p^ are primes for i=1,...,n and PjKPj for i/j). Moreover, 
the key set is exclusively composed of idempotent elements of the ring 
z N . 
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Example 3: 

For the ring Z 12 » ttie set of keys contains three elements, namely K- 
{1,4,9}. 

A key is an idempotent element of Z M so there are two integers iP 
1 

end N which fulfill the following congruences: 

k = O(mod N°) (20) 
k = 1 (mod Iff 1 ) (21) 

whereas N=N^n' . As a result, we have that the cryptographic function 

of deciphering system is determined by the formula 

m= f -1 (c,k) = cfmod N 1 ) (22) 

1 

where m€li, c £C, ksK, and k assigns one and only one value of N 
while N is fixed. Furthermore, in order to find the correct message, it 
has to fulfill inequality in the form 

0<ms?N 1 -l (23) 

Example 4: 

Let the ring be determined for N=3- 5 • 7=1 05 and we assume that the 
key k=([lOaod 3);0(mod 5);l(*od 7)J = 85(mod 105). If k=85, then N 1 =21. 
Thus, for m=20, we have the cryptogram c=mk=1700. To obtain the 
original message, we apply (22) as follows 
m = c(mod N 1 ) = 1 700 (mod 21) = 20 

After having examined the cryptomorphism in detail, we obtain their 

properties as follows: 

P1 . For fixed ring Z^, there is one-to-one mapping between keys 

(idempotent elements) and pairs (N 0 ,^) , where N=N°n' . 

P2. The enciphering and deciphering transformations are defined 

according to the following formulae: 

f(m,k)= mk 

f _1 (c,k> c(mod N 1 ) 

P3. For any message m€Z », there are m different cryptograms in 

N 

the shape 

c = m'+ f(m",k) 

where m'+m"*=m and m'=0,...,m-l 

P4-. If an integer m has its inverse m -1 (m.m'^Z ,\, then 

_i N ' 

cryptograms of m and m satisfy the following congruence: 

f(m,k) f(m _1 ,k)= 1 (mod N 1 ) 

Taking into account the properties, we can formulate four 

restrictions which have to be imposed to ensure a correctness of 

computations. These are: 
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HI . All message which are necessary to execute a program should 

satisfy the inequality 

0<n$N l -1 ) melt (24) 
R2. A final result which would be obtained without using a 

cryptographic protection also has to fulfill (24) • 
R3. The execution of a processing task must be possible using only 

four basic arithmetic operations and all intermediate results 

have to have the form of either integers or fractions. 
R4. Cryptograms of a numerator and a denominator should be 

determined when both the message and the anticipated final 

result are fractions. 

Example 5 : 

Suppose that the expression a= — should be calculated for m=3» 

2m -4 

Of course, if we perform the calculations for clear message m=3, we 

shall get a=0,5. Let us assume that N=3'5-7 and key k=LCM (l (mod 3), 

1 (mod 5) ,0(mod 7)) =91 . In order to simplify our computations, instead 

of the cryptogram c=mk=273, we accept the cryptogram c=m'+m"k =2+91=93 

for m'+m"=3 and m'=2. Thus, we have 

rf a vU 4+fCm.k) _ 4+93 _ 97 _ f(a'.k) 
C 2 f*(m,k)-4 " 2-^5-4 * T729T ~ f^lk) 

For cryptogram f (a',k) , we obtain the clear form of the numerator 

a'=f"'(97,k)=97(m.od 1 5) =7 
However, for f(a",k), we get 

a"=f~' (1 7294, k) = 17294 (mod 15~) = 14 
Whence, we have the final result a=0,5. As any fraction can be presented 
in different ways, special precautions should be undertaken in case of 
fraction calculations. In order to illustrate difficulties, we take the 

expression 

rCa v \. 92 _ 194 

T7294 ~ 343S5 

After having deciphered cryptograms of the numerator and the denominator 
we get the wrong final result. 



4. Conclusions 

Cryptographic transformations in public key cryptosystems depend on 
determination of suitable algebraic structures. In the RSA system, such 
a structure is defined by means of only two basic idempotent elements. 
Next, in the cryptosystem with idempotent elements, the algebraic 
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structure of a ring is based on many basic idempotent elements. Moreover, 
the more idempotent elements are applied the higher quality of the 
system (opposite to the RSA system). 

Also, we have presented how an algebraic structure can be applied 
for construction of cryptomorphisms. Only the simplest case has been 
considered and the cryptographic transformation relies on multiplying 
a message by a cryptographic key which is an idempotent element. It is 
possible to notice that cryptomorphisms can be defined by the aid of 
a matrix of idempotent elements. 
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1- INTRODUCTION : 

Several authors have recently proposed digital signature schemes [I], 
[2],... In an environment where identification is not possible, and the 
transmission safe the use of these schemes certify that the data origi- 
nated from the legitimate person. However in an environment where iden- 
tification can be ensured by other means and where transmission is do- 
ne in an unsafe medium, the use of these same schemes ensure data inte- 
grity : any modification of the data during transmission shows up when 
one checks the corresponding signature. 

The systematic use of signature functions for data integrity has two 
important shortcomings : 

1) The redundancy introduced by the signature schemes is about as long 
as the data to be protected. 

2) The average number of computing steps per protected digit is very 
large . 

In this paper we introduce some functions allowing the use of data in- 
tegrity witnesses which introduces minimal redundancy (50 digits for 
about 1O.00O digits of data). The average number of operations per pro- 
tected digit is kept small. 

We study the cryptographic strength of these functions and show that it 
increases with the length of the data being protected. 

II - SEAL FUNCTIONS 

LetTfbe the set of texts made of strings of h decimal digits : *K* = R h 
where R is the ring of decimal digits. Let-Jbe the set of strings of p 
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decimal digits = R p . A seal function f is a function : 

s : ^ -5 

A seal of a text T is then s(T) 
The seal function is used or storing in the following way : 
Prior to the transmission of the data on an unsafe medium, a seal is 
computed. It is then processed with the data. 

When retrieving the data from an unsafe medium; a seal is recomputed 
from the data and compared with the one that is retrieved from the un- 
safe medium. If the two seals coincide the data is considered free from 
alterations . 
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III - CONSTRAINTS ON THE SEAL FUNCTION 

a) length of the seal 

The seal being a decimal quantity, a length p of more then 20 decimal 
digits is enough to ensure that random attacks on the seal have a low 
probability of succeeding. If n is any integer between 10.000 and 
100.000, then one is sure that in any application the data flow is not 
interrupted too often for seal computation or recomputation . 

b ) attacks on the seal and unf orqeability 

The data that is to be protected by the seal is highly structured. The 
structure and content is known to an opponent. The aim of an opponent 



27 



to the system is to modify the data, and if necessary (and possible) 
the seal, in such a way that the modified seal is legitimately asso- 
ciated to the modified data. 



Let n = lO.OOO and p = 20 

, . -lO.OOO „20 . . , 

Let s = R iR be a seal function. 

For a given seal S, the cardinality of S (S), that is the set of 

9 980 

texts having a given seal is of the order of R 

Any structure in that set, will help an opponent in finding many of 
its elements. 

Any structure relating S~^"(S) and S'^(S') for two different seal S 
and S' will also help an opponent in finding many of its elements. 
This leads us to the following conditions. 

i ) The mapping 

s : R^ ^R^ is a random variable, uniformely distributed on R^ 5 for 

each probability distribution on R n . 



ii) For any given text (t^,...,t ). Let I 
The mapping : 

I x R. 



C 1 -3 



(i,r) >S (t 1 t.^, t i+ r, t i+1 t r ) - s (t x t n > 

Should be a uniformely distributed random variable, for each probabi- 
lity distribution on I x R. 



iii) Let be the permutation group of I = jj.,...,n^, 
ment of S n , for any given text (t^,..., t^) the mapping 

S >R p 



and 6- an ele- 



s (t. n t-, , ) - s ( t. , . . . , t ) 

S(l) Sin) 1' 'n 



should be a uniformely distributed random variable for each probabi- 
lity distribution on S . 

n 



c ) computationa l complexity of seal function 

A seal function is primarly intended to be used in software. Therefore 
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a seal function should have a low computational complexity per pro- 
tected digit . Most of the well known cryptographic algorithms have 
a high computational complexity ciphered digit of data and therefore 
perform poorly in software. Using a cryptographic algorithm in a feed- 
back mode, meets the unf orgeability reguirements , but leads to a very 
slow seal computation. 



block 1 



secret key 



crypto 
Jalgor ithm 



crypto 1 
#1 C b 



First computation 
computation at block 1. 



block 
n 



crypto 
algo 



crypto 



computation at block n. 



IV - SOME EXAMPLES OF SEAL FUNCTIONS 



a ) the sum function 

Let b be any integer between 1 and n 



For a text ( t, , . . . , t ) 
1 n 



Let T x = t lV 



t T = +■ t t=t 

b ' 2 ~b-+l"""'2b n (n-l)b+l - 



nb 



Define the seal of the text t,...t as 

1 n 



s <t n t ) = 2L 

1 n 

l 



This seal depends on every digit of the text, but does not satisfy 

neither reauirement i) nor ii). Any permutation of the digits of the 

text corresponding to the permutation of blocks on the ' s lead to 
the same seal. 
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the same seal. 

b) the sum of cryptos 

Let C be a cryptographic function, assigning to each set of b int€ 
gers of text, a cryptogram of length d 

C : T , ^ 

C : , R d 

(t ! V > (c l c d ) = C (t l V 

let C x = c L ... c d = c(t x t b ) 



C 2 = c d+1 ...c 2d = c(t b+ i t 2b ) 

C n = c (n-i)d+l' c nd = c(t (n-i)b+l tnb> 



and let S ( t, ..... t ) 
x n 

This seal function satisfies requirement i) but not ii). Any permuta- 
tion of the digits of the text corresponding to the permutation of 
blocks beina ciphered lead to the same seal. 

c) the concatenation of signatures 

Let r,g be two large primes, kept secret and m = q.r 

Let 1 be the length of m : and T = t^^,...^, T 2 = ■ ■ ■ t ?1 , • ■ • . 

T n = t (n-l)l+l t nl 

The leqitimate owner of the text knowing the factorisation of m, can 

easily compute square roots in Z.. 

m 

Let s 1= Vt^ mod m, s = V T 2 mod in,..., s n = V^f^ mod m. 

Define s(t,,...,t ) as (s, r ...,s ) 

1 n 1 n 
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This seal function meets most of the requirements on unf orgeabili- 
ty. Its shortcominq is the computational effort as well as the lenqth 
of the seal which is as long, as the text itself; and a permutation 
of two portions of the text as well as their corresponding signature, 
lead to a new leqitimate altered seal. 

6 ) a new seal function (1) 

Let A = (aij) be square matrix in order n, whose entries are random 
inteqers , chosen by the originator of the text and kept secret. 

Let T = ( t, ..... t ) be a text 
1 n 

s (T) = T fc A T = ^-r a . . . t . . t . 

K3 13 i 3 

is the seal of T 

This seal involves only arithmetic operations for its computation. The 

2 

total number of operations to compute a seal is seen to be 0 (n ) mul- 

2 

tiplications and O (n ) additions. It is easily checked that the un- 
forqeability requirements are met. 

A potential forger of seals has to know the matrix a^_j in order to 
create a leqitimate seal for a given text. 
Let us suppose that the forger holds 

u texts ( t\ 1 t ( 1 '),...,( t, (u ] t (u) ) and their corresponding 
In In 

seals s, , s_ , . . . , s . 

1 2 u 

To obtain the matrix (a^j) he has to solve the following system 

5" Jl) (1) 

^- a . . t . t . = s, 

1,3 ^13 1 



J>L a . t (u, t (u ' = s 
i.j ^ i D 

In this system the t., t., and =' U ' are knowm . 
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Two methods are indicated to make this system unsolvable. 

- Chanqe the matrix (a^j* often enough so that a potential forger 
cannot obtain enough information from existing seals in order to 
solve the system. 

- Choose n large enough, so that the best known algorithms for sol- 
vinq dense linear systems fail to do so in a short amount of time. The 
seal system is strengthened by increasing the length of the text 
being protected. 

e ) a new seal function (2) 

Let A = (a,,..., a ) be a sequence of random integers of length n', 
1 n 

chosen the originator of the text and kept secret 



This seal function involves only arithmetic operations to compute a 
seal, and the total number of operations is then 2n 1 ^ additions and 
2n ' ^ multiplications. It meets the unf orgeability requirements. 

A potentail forger has to know the sequence A in order to create a 
legitimate seal for a given text. 

Let us suppose he knows u texts (t' 1 ^ t ' ^ ' i ,...,( t| U ' t ^ U ' ) 

1 ' ' n 1 n 

and their corresponding seals s^,...,s . 

He therefore has to solve a system, which is quadratic in the un- 
know a . 1 s . 



Define 



S (T) 




t . 



i < j 



i 




3 




a 



a 



3 



t . 
3 



(u) 



u 



1 , j 
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The complexity of finding the a^' s is equivalent to factoring this 
polinominal . 

3 2 

The complexity of this problem is O (n + log n n ) in a modular ver- 
sion of the problem. 

ooo OOOO ooo 000 ooo 
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ABSTRACT 



Consider the following situation. K data hits are to be encoded into N > K bits and 
transmitted over a noiseless channel. An intruder can observe a subset of his choice of size \l< N . 
The encoder is to be designed to maximize the intruder's uncertainty about the data given his N 
intercepted channel bits, subject to the condition that the intended receiver can recover the K data 
bits perfectly from the N channel bits. The optimal tra doffs between the parameters K,N , n. and 
the intruder's uncertainty H {H is the "conditional entropy" of the data given the p. intercepted 
channel bits) were found. In particular, it was shown that for y. — N —K, a system exists with 
H ~ K - 1. Thus, for example, when N -IX and ^ = £ , it is possible to encode the K data bits 
into IX channel bits, so that by looking at any K channel bits, the intruder obtains essentially 
no information about the data. 
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Wire-Tap Channel II 

L. H . Ozarow 
A . D. Wyner 

AT&T Bdl Laboratories 
Murray Hill, New Jersey 07974 

1. Introduction 

In this paper we study a communication system in which an unauthorized intruder is able to 
intercept a subset of the transmitted symbols, and it is desired to maximize the intruder's 
uncertainty about the data without the use of an encryption key (either "public" or "private"). 

Specifically, the encoder associates with the X-bit binary data sequence S x an //-bit binary 
"transmitted" sequence X" , where N > K. It is required that a decoder can correctly obtain S r 
with high probability by era mining X" . The intruder can examine a subset of his choice of size p. 
of the N positions in X" , and the system designer's task is to make the intruder's equivocation 
(uncertainty) about the data as large as possible. The encoder is allowed to introduce rarjdamness 
into the transformation S* - X" , but we make the assumption that the decoder and the intruder 
must share any information about the encoding and the randomness. This assumption precludes the 
use of "key" cryptography, where the decoder has the exclusive pcsession of certain information. 

As an example, suppose that K = 1, N -2, n. = 1. Let the data bit be 5 , and let £ be a 
uniform binary random variable which is independent of S. Let X 1 = ((;, 5 @S), where **@" 
denotes modulo 2 addition. If the intruder looks at either coordinate of X 2 he gains no information 
about S , so that the system has perfect secrecy. The decoder, however, can obtain 5 by adding 
(modulo two) the two components of X 2 . 

Our problem is to replicate this type of performance with large K,N , jt In fact we assume that 
K ~ RN , u, ~ aN , where if , a are held fixed and jV becomes large. Roughly speaking, we show 
that perfect secrecy is attainable provided that ji is not too large, specifically u.s N-K or 
a s l-R . In Section 2 we give a precise statement and discus si cm of cur problem and results, 
leaving the proofs for Sections 3-5. 

This problem is similar to the wire-tap channel problem studied in Reference 1. A special case 
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cf the problem studied there allows an intruder to examine a subset of the encoder symbols which is 
chosen at random by nature. In the present problem, the system designer must make bis system 
secure against a mare powerful intruder who can select which subset to examine. 

2. Formal Statement of the Problem and Results 

In this section we give a precise statement cf cur problem and state the results. 

First a word about notation. Let U be an arbitrary finite set. Denote its cardinality by \U\. 
Consider U" , the set of .V -vectors with components in U. The members cf U" will be written as 

where subscripted letters denote components and boldface superscripted letters denote vectors. A 
similar convention applies to random vectors which are denoted by upper-case letters. When the 
dimension of a vector is clear from the contort, we omit the superscript. Finally, for random 
variables X, Y , Z etc., the notation H(X), H(X\Y), I(X;Y), etc. denotes the standard 
information theoretic quantities as defined, for example, in GaBager [2]. 

We now turn to the description of the cocnmunicaticn system. 

(i) The source output is a sequence {S t }' , where the S t are independent, identically di'^ributed 
binary random variables. 

(ii) The encoder with parameters (K,N) is a channel with input alphabet {0, l} r and output 
alphabet {0, 1}" and transition probability q e (t" |s f ). Let S r and JC be the input and 
output respectively of the encoder. 

(iii) The decoder is a mapping 

fo - {0.1}" - {0,l} r . 
Let § = (S u S 2> .» 5 r ) = f D ). The error-rate is 

P. = -pr £ Pr{S k * S\] . 
t-i 
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(iv) An intruder with parameter N picks a subset S C {1. 2^.., N}, such that |S | = m and 
is aDcwed to observe X, , n € S. Let Z" = (Zi,...,Z*), cfefinedby 



J " = 1?, n 



denote the intruder's information. The system designer seeks to maximize the equivocation 

A ^ nrin H(S'\Z"). 

S: |S|-v 

Thus, the designer is assured that no matter what subset S the intruder chooses, the intruder's 
remaining uncertainty about the source vector is at least A. When A = K, the intruder obtains no 
information about the source, and the system has attained perfect secrecy. 

In this paper we study the tradeoffs between K, N , A, and P, . As we shall see, it will be useful 
to consider the normalized qualities KIN , \JN , A/AT. Thus KIN is the "rate" of the encoder = the 
number of data bits per encoded bit, ylN is the fraction of the encoded bits which the intruder is 
able to observe, and A/ K is the normalized entropy. 

Let us remark that the intruder which observes Z" can reconstruct the data sequence S r with a 
per bit error probability of say P.. It follows from Fane's inequality that h (?,') a A/if, where A(-) 
is the binary entropy function defined below Eq. (22). Thus A/AT ~ 1 implies that P', = 1/2 which 
is essentially perfect secrecy. 

We will say that the triple (R , a, 8) is achievable ifforall«>0andall integers N 0 > 0, there 
exists an encoder/ decoder with parameters N a N 0 , K a (R -t)N , ji.2 (a-~t)N , A a (b-t)N , 
and P. s t We will show in the sequel that (ft , a, 8) is achievable fa 0 s R , a, 5 s 1, and 

1, Os.sH, 



A graph of the achievable (a, 8) pairs far fixed R is given in Figure 1. 
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i 




Figure 1. Achiewble (a, 5) far fixed J? . 

The following theorem, a proof of which is given in Section 3, is a "converse" result which gives 
a necessary condition on achievable (K, N , A, P.). 



Theorem 2.1: If (AT , N , A, P,) is achievahle, then 



jr. 

\n- 



~V.+Kh(P,), N-K S|iSjV 



(2.2) 



where h (X) = -X log X— (1-X) log (1-X) is the binary entropy function. 

Now if (R , a, 6) is achievable, for arbitrary e > 0, there must be an encoder/ d eco d er with 
parameters N , K ^ (R -e)N , v ^ (a-t)N , A a (h-t)N , P, s e. Applying Theorem 2.1 to this 
code yields 

1 , 



which is (2.1) as e - 0. Thus conditions (2.1) are necessary for a triple to be achievable. Theorem 
22, which is also proved in Section 3, implies that (R , a, 8) is achievable if (2.1) is satisfied. 

Theorem 22: Let 1-R < a < 1. Then, for all t > 0, N 0 a 1, there exists an N Nq and an 
encoder/ decoder with parameters K =RN , u. = aN ,tJK 2 [(l-u)/K ] — t, and P, — 0. 
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The idea behind the proof cf Theorem 22 is the following. Partition the set {0, 1}* into 2' 
subsets {A*}?* with equal cardinality — Le. \A m | =2""'. The 2* possible values of S r can be 
put in 1-1 correspondence with these, subsets. When S r corresponds to A m (1 s m s 2*), the 
encoder output is uniformly distributed on A m . Since the {A M } are disjoint, the decoder can recover 
S r perfectly and P, - 0. We show (by random coding) that there exists a partition satisfying 
Theorem 22. 

A convenient way to partition {0, iy , is to let the sets {A m } be the cosets cf a group code G 
with N -K information symbols (so that G has 2* cosets). Theorem 23, which is proved in Section 
4, asserts that in fact we can do quite well with cods of this type. 

Theorem 23: If the triple (R , a, S) satisfies (2.1), then it is achievable using an encoder/ decoder 
derived from a group code. 

The following simple lemma allows us to establish the achievability of all triples on the straight 
line of Figure 1 connecting paints A and B by proving only the achievability of point A . 

Lemma 2.4: Suppose that we are given an encoder/ decoder f e ,f D with parameters N, K, P.. 
Suppose there are two intruders which have parameters u. = ft, Mi and A =• A t , Aj, respectively. 
Then, if pt s ft 



from which we conclude that (R , a 1( achievable implies that (R , a 2 , ^) is achievable where 
a 2 2: ax, and 



Az a Ai - m) . 



(2.3) 



Remark: Inequality (23) can be rewritten as 
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In particular, if a t = 1—R , ^ = 1, then 

Proof of lemma 2.4: Let. S j £ S , C {1, 2,..., N), where |S,|=fc, |Sj|=rt- Let Zf 
correspcnd to S , (i = 1, 2), i.e. Z, = (Z /1 ,...,Zj w ) and 



2,; = 



x Jt j e S , , 



Then 



H(SF \ZJ-H (S r |Zj) = #(S< IZj.ZO-ffCS* fc) 
= -/(S r ;Zj|Z0 2= (ZilZi) s -(ft-rt) , 



where the first equality follows from S i C S j. Thus 



»(s* izoaWlzo-G*-*) 
• 



(2.4) 



from the definition of A. Minimising (2.4) over all S 2 , with |S 2 | = yields (2.5) and the lemma. 

Finally, we state a theorem which is a rather surprising strengthening of Theorem 22. Its proof 
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is given in the full version of this paper. 

Theorem 25. For arbitrary K,N (1 ss K s N), and p. = N—K, there exists an encoder-decoder 
with P, = 0 and 

3. Proof of Theorems 2J and 2.2 

Assume that S r , X? , Z" , S correspond to a source/ encoder/ decoder as defined in Section 2, 
with parameters K, N, A, P,. Then, making repeated use of the identity 
H(U, V) =H(U)+H(y\U),v*dbtain 
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A = H (S r |Z" ) = H (S, Z)-H (Z) 
= H (S, X, Z) (X|S, Z)-ff (Z) 
= ff(S|X,Z) + #(X,Z) -H(X|S,Z) -ff(Z) 

= ff(S|X,Z) + #(X|Z) -J/(X|S,Z) . (3.1) 

Now 

ff(S|X,Z) = f?(S|X,Z,S) stf(S|S) 
s Kh{P.) , 

where the last inequality foDows from Fane's inequality (see [2]). Also, since #(X|Z) is the 
entropy of those iV — jx coordinates of X not specified by Z, we have H (X|Z) Finally, 
noting that H (X|S, Z) a 0, ws have from (3.1) 

As N-iL + Kh{P,) , 

which is Theorem 2.1. 

We now give a proof of Theorem 22 which proceeds along the lines suggested in Section 2. Let 
K,N be given, and let {A m }, 1 s m s 2 f , be a partition of {0, 1Y into subsets A„ £ {0, 1}* 
such that \A m | " 2"~ r . As in Section 2, the partition defines a code: to encode message m 
(1 s m s 2 r ), we let X" be a randomly chosen vector in A m . Since the A„ are disjoint, P, — 0 
and #(S|X, Z) =0. Further, since the 2 r messages are equally likely and \A m | ™ 2""*, X is 
uniformly distributed on {0, 1}" , so that its coordinates are independent identically distributed 
uniform binary random variables. Thus HQC |Z") = N -y. We conclude from (3.1) that for tins 
encoder 

A - N -y.-H (X" |S r , Z" ) . (3.2) 

Now let z € {0, 1, ?y be a possible value for the intruder's information, and let x € {0, iy . 
We say that z is "consistent" with x, if z can be obtained from x by changing a subset of the 
coordinates of x to ?'s. Next, let L a 1 be an integer to be chosen later. We say that a partition 
{A M } is "good" if far all m (1 s m s 2 r ) and all z € {0, 1, ?? with exactly N -y. 7*s, 
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card {x € A„ : z is consistent with x} < L . 
If cur encoder corresponds to a "good" partition for some L , then 

HpC \S r ,Z") < log! , 

and (32) yields 

4a JV-vHogl . (3.3) 

At the conclusion of this section we will prove the following proposition about the existence of 
"good" partitions. This will lead us directly to Theorem 22. 

Lmma3.1: Let AT , N , u. be such that 

N -y.-K < 0 . (3.4) 
Then, there exists a "good" partition (with parameters K,N , u) provided 

Now let R , a, e, N 0 be given as in the hypothesis of Theorem 22. Then, using 2 log e s 3, we 
write for N 2 1, 

Ar+g+2iofj « i+*+3 A 

K+il-N Oi-il-R) ~ 

Thus there exists a "good" partition with L si+1, and we conclude from (33) that there exists a 
code with UK a (l-a)/R - l0E ^ . If we choose N a N 0 , df /log (fl +1), the existence of 
this code establishes Theorem 22. It remains to prove Lemma 3.1. 

Proof of Lemma 3 .1 : Let {A m }, 1 £ m s 2*, be a partition of {0, 1)" , where |A. | - 2* " r . Let 
¥(A lv ..,A 2 r) =0 or 1 according as {A.} is "good" or not. We write 

¥(A i,.., A ,*) =s (3-6) 
■ -1 « 

where the inner sum is taken over all z € {0, l,?y with exactly * -jx ?'s, and 4(A„,z) — 1 if 



42 

card {x £ A m : z is consistent with 1} a I , 

and <jj(A „ , z) =0 otherwise. 

We now choose the partition at random with uniform distribution on the set of partitions of 
{0, if into 2* classes of equal size. The expectation satisfies 

£*s^£«(A.,i). (3.7) 

m l 

The expectation in the right member of (3.7) is taken, as indicated, with z held fixed. Let us define 
the following quantities. 

CM =|iC {0, 1}" : x is consistent with z} , 

«t = le«l=2"-\ (3.8) 
n =|{0,1H=2" , 
r = H.|=2"-< . 

We now compute £<t(A., , z). The r members of A„ are chosen at random from {0, 1}" (without 
replacement). The probability that exactly ( members of A m belong to Q(z) is 

To see this, observe that there are (") ways of choosing the set A m . The ( members of A m 
which belong to g(z) can be chosen in (^ ) ways, and the remaining (r-€) members of A m can be 
chosen from the complement of Q(z) in ("Z^ 1 ) ways- 

Now 

0 (") 

Also, using (^ ) s nf IV., and 
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we have 



(r^f) n! r!Qi-Q! 

q {n-r+i)\{r-ty. ' «! 

r(r-l)(r-2)...(r-e+l) r< = fr/iQ' 

(n+e-r)(n+f-r-l)...(n-r+l) (n-r)< (1-r/n)' ' 



TV 



€!(l-r/n)' ' 



Thus 



Using (35), we have (n^/n) = 2"-*-* , (I-t/ti) a 1/2, so that 
E<*A m ,t) s 2 2<"^-'*-^- 

t-L C - 
' I 1 

<-o ^' 

Substituting into (3.7) we have 

s 2 2 "•'"'^ * J 101 * 

M S 

s 2'" ^ +2 ioi « +r +2w 

If L satisfies (3 J), then < 1. Since ¥ is integer valued, there must exist a particular partition, 
say {Al } such that ¥(A I A ' 2 k) = 0. This is our "good" partition. 

4. Group Codes and Theorem 2.3 

In Sections 2 and 3, we discussed how to construct encoder/ decoders based on a partition {A m } 
cf {0, iy . In this section we consider the special case where the partition {A m } is defined by a 
group code and its cosets. 
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Let H be a AT x N parity-check matrix, which we assume has rank K. Let the partition {A.}, 
1 s m s 2 r , be the code defined by H and its cosets. Thus \A m | - 2*"*, for 1 s m s 2 r . To 
encode message s = (s u ..., s c ), the, encoder makes a random selection of one of the 2* "* members 
of the A. corresponding to s. This is equivalent to letting X* be a random choice from the 2* _r 
solutions of 

HX=»\ (4.1) 

where t denotes matrix transpose. Note that, since S is uniformly distributed an {0, l} r , 3f is 
uniformly distributed on {0, 1}" , and its coordinates X u Xi,...,X N are ii.d. uniform binary random 
variables. 

The decoder observes X* and computes HX* , which is the message. Thus P, = 0. We now 
show how to compute A in terms of certain distance' like properties of the parity check matrix. 

Definition: Let Q, Q,..., C H be the columns of H (C„ is a AT -vector). Let S £ {1, 2,...,N] and 
define D(S ) to be the dimension of the subspace spanned by {Q,}, n t S . For a given K xN 
parity check matrix H , define f or 0 s >i s N , 

D'id = min D(S) . (4.2) 
IS I-*-* 

We now state 

Lemma 4.1: Let Z>*(p) correspond to the K xN parity-check matrix H. Let w, w' be the 
minimum weight of the code and dual code, respectively defined by H. Then (1) for 
s N,D'(£ =N-vi (2) for 0 s jis w'-l,D'(d = K. 

Proof: Assertion (1) foDows immediately on observing that all sets of w—1 mlnmm cf H are 
linearly independent. Thus D(S) = jS |, far |S | s w-1. If #-h>+1 s jis N, then 
A^-jas h--1, so that 

£>*(u) = min D(S) = tf-u., 
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which is assertion (1). 

Now assertion (2) states that all submatrices H = (C,.Qj,..., of H have rank K when 
q 2 A'-w'+l. To establish this assertion assume that rank H < K. Then there easts a set of 
linear row manipulations which transform H into a matrix with a row of O's. These identical row 
manipulations will transform H into a matrix for which a row as weight s N -q . Since the dual 
code is the row space <fH,N—q a w' a q s N-w', establishing assertion (2). 

We new give 

Lemma 42: When an encoder/ decoder is constructed to correspond to the parity check matrix H , 
then 

A=ZT(h). (4.3) 

Proof: Let S, X, Z correspond to an encoder/ decoder with parameters K,N , A (P, =0), derived 
as discussed above, from a parity-check matrix H = (C lr ..,C^). Since P. =0, and X* is 
uniformly distributed on {0, 1}" , Eq. (3.2) applies. Thus Lemma 42 will be established when we 
shew that 

H {TP |S* , Z" ) = N -V.-D* (u) . (4.4) 

Now suppose that S r =» and Z* =z. Without loss of generality, assume that the last ji 
coordinates of z are copies of the corresponding coordinates of X. Thus, given S r — s, Z" = z, the 
remaining unknown coordinates of X are precisely the solutions for x lr „, x Nn ,cC 

IQx,=i'+ £ Cx. 4a. (4.5) 

Since the number of sdutians is N ->i-rank (Ci,..., C^-J, and given S = s, Z = z all these solutions 
are equally likely, (4.4) follows. Hence the lemma. 

Before continuing with the proof of Theorem 23, we digress to apply Lemma 42 in an example. 
Let K = 4, N = 8, and construct an encoder/ decoder using the self -dual Hamming code with block 
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length 8 and 4 information and 4 check digits. Then w = w' = 4, so that 

A=£>*Gi.) = 



4=*T, 0S|is3, 
3, |L=4, 
N — jjl , 5 s u.£ 8 . 



Thus the encoder/ decoder is optimal for all u- except \l = 4, when A is but me bit less than ideal. 

We will establish Theorem 23 via a random code argument. Towards this end, we establish the 
following lemmas. 

Lemma 43: Let 1 £ m ^ n and let the m x n matrix A over GF(2) be chosen at random with 
uniform distribution on the set of 2"* binary m x n matrices. Then, for 1 s L s m, 

Pr {rank A < m-i} s 2< L >*" 

Proqf. Let us choose the n columns of A sequentially and independently. Let d(J) be the 
dimension of the linear space spanned by the first j columns. Suppose that d(J) = k £ m. With 
probability 2 t_ ", d{j+l) =k; and with probability (1-2'-), d{j+l) =*+L This sequential 
choice of the columns is modelled by the Markov chain of Figure 2. 




• • • 




Flgnr 2 



Begin at state 0. With each choice of a column, advance one state if and only if this choice 
increases the dimension of the space spanned by the columns chosen so far. The rank of the matrix 
A is d (n), and is equal to the state at which we find ourselves after all n columns are chosen. Let 
T(Jt ) denote the set of paths it which start at state 0 and terminate at state Jt (0 £ Jt =s m ). Then 
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Pr {rank A < m -i } = " ^ ' 2 M • (4.6) 
i -o «er(t ) 

New let the path it € IX*). This path contains exactly n-k sdf-locps, each of which has 
probability s 2-*' . Thus, for it € r(*)> 

Pr Wt * 2<-**X"*> . 

Also since |r(*)| = (£), eq. (4.6) yields 

Pt {rank A < m -L) =s " (*)2-<"^X"^> . 
t-o 

Since the exponent is non-decreasing in Jt (it =£ m Sn),*c have 

/V {rank A < m-L] s "j" 1 (j^-^ 1 ^^"-*^ 

which is Lemma 43. 

Lemma 4.4: UtlSnSn, and let the m xn matrix A over GF(2) be chosen at random with 
uniform distribution on the set of 2"" binary m Xn matrices. Then 

Pr{rankA =m} = jf (1 -2>-") 

asp (-2^lU (1 _J!l2-^ )( 
*l 1-2" - 1 - J v 1-2" 

Proof: Chocse the rows of A sequentially. As in the proof of Lemma 43, the probability that the 
dimension of the space spanned by the first j rows is equal to; is 

(1— 2—)(l-2^"* 1 )...(l-2— . 

The rest of the lemma follows from ln(l— u) a — u/(l— k) and e~* & 1— it . 

We now turn to Theorem 23. Let R > 0 be given and held fixed. We will show that 8 = 1, 
a = 1-R is achievable, and the remainder of the theorem will follow from Theorem 2.4. Let e > 0 
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be arbitrary. We will shew that there exists an encoder/ decoder with parameters N, K =RN , 
ji= (1-R -t)N , A a K -L , provided that 

I*3/c. (4.7) 

We proceed as follows. Let H be a K x N parity-check matrix, and let L satisfy (4.7) . Let 
D' (ji) correspond to H , and define 

t x fl , D'iv) < K-L cr rank(tf) < * , R> 
*(*) = tp, otherwise. (4 - 8) 

We must show that there exists an H with <t(H) =0. We can write 

) £ 2 <t(tf , 5 ) + <&j(ff ) , (45a) 

Sc(i,-.wi 
IS | - h 

where 

fl , rani(ff)<A:, c . , 

= |o , otherwise . < 4Sb J 

and 

fl, Z>(S) < K-L , 
«».S)-io: otherwise. («■*> 

If we choose # = (C^.., C*) at random with uniform distribution on the set of 2 r " binary 
K xN matrices, (45) yields 

£¥(//) s 2 E<KH,S) +E^(H) . (4.10) 

|S|-H 

Let S , with |S | be arbitrary, and let A = (Qf^.C^^ , where S = {i'i r .., i w -J. Then 
<t(H,S) = 1 if and only if rank A < K-L, and £<t(/f, S) =/>r { rank A < K-L}. We can 
apply Lemma 43 with n = N — m m = it , to obtain 

£<t(«,S)£2-(' +1 ><* -»> . (4.11) 

Similarly we can apply Lemma 4.4 with A = H , n =N ,m = K ,to obtain 
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Since there are no mere than 2* subsets S , (4.10) -(4.1 2) yields (using N -y.-K = e.V, A" = 



s 2 - i «" +2A ' + (413) 

Since L satisfies (4.7), the first term in the right member cf (4.13) < 1/2. Furthermore, fcr N 
sufficiently large, the second term in (4.13) is also < 1/2. Thus 

Since ¥(•) is an integer valued function, there must exist a K xN matrix H a such that 
¥(//o) =0; so that rank H 0 =K and for the corresponding encoder/ decoder, A =D*(u) ^ K —L , 
which is what we set cut to prove. Thus we have shown that far arbitrary R > 0, the triples 
(R , a, 6) where a ^ 1— /f ,6s 1, are achievable, completing the proof of Theorem 2.4. 



50 

REFERENCES 

[1] Wyner, A. D., "The Wire-Tap Channel," BSTJ, 54, pp. 1355-1387, October 1975. 

[2] Gallager, R. G., Information Theory and Reliable Communication, Wiley, New York, 1968. 

[3] Ozarow, L. H. , and A. D. Wyner, "Wire-Tap Channel II", to appear 
in AT&T Bell Laboratories Technical Journal. 



EQUIVOCATIONS FOR HOMOPHONIC CIPHERS 



Andrea Sgarro 
Istituto di Matematica 
University di Trieste 

34100 Trieste (Italy) 



Abstract . Substitution ciphers can be quite weak when the probability 
distribution of the message letters is distinctly non-uniform, A time- 
honoured solution to remove this weakness is to "split" each high-pro 
bability letter into a number of "homophones" and use a substitution 
cipher for the resulting extended alphabet. Here the performance of a 
homophonic cipher is studied from a 'Shannon-theoretic point cif view. 
The key and message equivocations (conditional entropies given the in 
tercepted cryptogram) are computed both for finite-length messages and 
"very long" messages. The results obtained are strictly related to 
those found by Blom and Dunham for substitution ciphers. The key space 
of a homophonic cipher is specified carefully, so as to avoid misunder 
standings which appear to have occurred on this subject. 
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1 . Introduction . 

Simple substitution ciphers (s.s.c.'s) are probably the oldest type 
of ciphers put to work, and yet they are still in good health in the 
form of (individually weak) components of (hopefully good) complex 
cipher system (e.g. the Data Encryption Standard). The key of a s.s.c. 
is a permutation of the message-letter alphabet /! = {a ,a , . . . ,a } , s22; 
once a key is chosen each single letter output by the message source 
is replaced by its substitute. S.s.c.'s hcive been studied rather deeply 
in the last decade; cf. /I, 2, 3/; in the first two papers the strength 
of a cipher is assessed by evaluating the equivocations ("uncertainties") 
on side of the spy who has intercepted a cryptogram (key equivocation 
or message equivocation, according whether the spy is interested in 
finding out the correct key or the correct message) ; in /3/ the error 
probabilities are evaluated when the spy uses the best statistical pro 
cedure to recover the correct key or message from the intercepted cry£ 
togram. Further work on s.s.c.'s is done in /4/, which contains a discus 
sion on the role of the "Shannon-theoretic approach" to cryptography 
and, more generally, on the relevance of purely statistical cryptogra 
phic models. 

A s.s.c. is very weak when the probability distribution (p.d.) P 
ruling the message source, which we assume to be memory less and station 
ary, is distinctly non-uniform; ( P= { p ,p^ , . . . ) , p^X), £p^ = 1 ; un 
specified summations are meant over all values of the index) . A time- 
honoured solution to remove this weakness is to make use of a cryptogram- 
letter alphabet C of size t larger than s, the size of the message-let 
ter alphabet; for example, the letters of C might be the ordered couples 
of message letters. Then any large probability p. can be broken down 
by associating to the corresponding letter a many possible cryptogram 
substitutes, t^, say: each time a occurs in the message one of these 
is chosen at random and actually substituted for a . The resulting ci 
pher is called a homophonic cipher (or, rather, a simple, that is single- 
letter, homophonic cipher; a more formal description is given below). 
Homophonic ciphers, which are a generalization of s.s.c.'s (refound 
for t.=1, 1<i<s, that is, essentially, when A=C ) have been recently 
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studied in /5/. In this paper we take the equivocation approach to 

assess the strength of homophonic ciphers, thereby generalizing the 

work done in /1 / and /2/ for s.s.c.'s. 

A mathematical tool which we shall use is the notion of an exact 

type . Consider A* 1 , the set of the sequences of length n built over A; 

an exact type (of order n over A) is a subset of ^ n made up of a sequence 

together with all its permutations. Of course, if (n^ ,n , . . . ,11^) is the 

composition of any of these sequences, n^ being the number of occur 

rences of letter a^, (n^SO, ^n^n) , the size of the corresponding exact 

type is the multinomial coefficient n!/n !n !...n !. Statisticians will 

12s 

recognize here an obvious link with the notion of sufficient statistic; 

we simply stress that the sequences of an exact type have all the same 

probability. A powerful technique based on asymptotically tight bounds 

for the size and the probability of exact types has been made popular 

in the circle of information theorists by the fundamental textbook /6/. 

This technique is applied in /3/ to the error probability approach to 

s.s.c.'s and in/7/ to the equivocation approach to the same ciphers. 

Before going to mathematical developments, we have to give a more 

formal description of a homophonic cipher. Two alphabets, A and C 

= {c ,0^, . . . ,c } , t2s, are given, C being the cryptogram-letter alpha 

bet; also s integers are given which sum to t: t.t ,...,t , t.S1, 

12 si 

£t =t. A key is specified by giving s disjoint subsets of C of size 

t ft^,... and t , respectively. Each time letter a^ is output by the 

message source, one of the t letters of the i-th subset is chosen with 

i 

(conditional) probability 1/t. and is substituted for letter a^. The 
knowledge of the key is enough to reconstruct the correct message from 
any of the possible corresponding cryptograms. Before transmission 
begins, a key is chosen at random and independently of the message 
output by the source; the key is communicated to the legitimate receiver 
via a secure special channel; ("at random" means that the key is a 
uniform random variable, or r.v., over the set of all possible keys). 
The cryptogram is derived from the message and sent over the normal 
unsafe channel, where it is intercepted by the spy. 

We find it convenient to give a more careful description of the key 
of a homophonic cipher. Such a key can be represented by a sequence in 
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A^ with composition (t„,t _, ...,t ((alphabet letter a. occurs t. 

lis 11 

times, £t^=t) . The meaning of this representation is that if a^ is the 

j-th component of the sequence, then c is a possible substitute for 

a. under the given key. We shall actually identify each possible key 

with the corresponding sequence in so that for us the set of keys 

will be an exact type in A*~ . Clearly the number of all keys for a homo 

phonic cipher {A, C ; t , t_,...,t ) is the multinomial coefficient 

12 s 

ti/t 1 -t 2 !...t s ! 

As shown in /5/, a homophonic cipher induces a s.s.c. in a quite 
natural way. A presentation follows which suits our purposes. Take an 
extended alphabet Z7={u , , . . . ,u fc }with the same size t as the crypto 
gram alphabet C ; although it would not be restrictive to take V-C we 
keep them separate for the sake of notational clarity. The elements of 
U will be denoted at places by symbols like a^ , 1SiSs, ISjSt^; in 
other words in U each message letter a^ is duplicated t^ times: the 
letters a are called the homophones of letter a^. No ambiguity should 
result from the fact that the letters of U have two names, e.g. u.^ is 
also called a for some i and some j. A dummy memoryless and stationary 
source with alphabet U, called the extended source , is now built in the 
following way: each time the message source outputs a letter a^, 1^i£s, 
the extended source outputs a letter a ., 1£i£t , with (conditional) 
uniform probability; then the (absolute) probability of letter a^_. is 
pVt^. We call P* the p.d. made up of these probabilities; P* rules the 
statistical behaviour of the extended source. Note also that the output 
of the message source is a deterministic function of the simultaneous 
output of the extended source. 

Take now the s.s.c. (U , C) , whose t! keys can be represented (cf. 

above) as sequences in 6' t where each letter occurs exactly once. To any 

key for {U , C) we can associate a key for (A, C ; t ,t„,...,t ) replacing 
4. 12s 

each a^_. in the U~ sequence by a^. A homophonic cipher can be put to 
work in the following way, which is readily shown to be equivalent to 
the original description. A key is chosen for the s.s.c. (U , C) . The 
message source is set going together with the extended source syncronized 
with it. The key is applied to the extended message to give the cryptogram. 
From this key a "short" key can be obtained as above to be communicated 
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to the legitimate receiver. The "short" key applied to the cryptogram 

does not allow the legitimate receiver to recover the extended message, 

but it does allow him to recover the original message over A, which is 

what he needs to know. The key for the s.s.c. (V , C) is a uniform r.v. 

K* with t! values, while the "short" key for the homophonic cipher is 

a uniform r.v. K with t!/t !t '...t ! values. We shall also write 

12 s 

K*=(K, J), where J is again a uniform r.v., this time with t It^i-.-t^! 

values, which identifies K*' once K is known; note that K and J are 

independent, as it appears from the values of the respective probabili 

ties. K, J and K* will be referred to as the actual key , the supplemen 

tary key and the extended key . We stress the distinction between K and 

K* : it is the former which is the "true" key of the homophonic cipher, 

while K* contains the "redundant information" J; cf. the discussion 

at the end of section 4. 

Let the r.v.'s M , U and C denote the first n letters output by 
n n n 

the message source, the extended source and the cryptogram source, 

respectively. Some relations for relevant entropies are already im 

plicit from the foregoing: H(M |U )=0, H(M |K,C )=0, H(M |K)=H(M |K*)= 

n n n n n n 

=H(M ), H(K,J) =H(K) +H(J) , etc. In the following section we shall assess 
the performance of a homophonic cipher by evaluating its equivocations. 



2 . The equivocations . 



The equivocations of interest are: H (K | C^) , the key equivocation, 

H(K|M ,C ), the key appearance equivocation, interesting in the case 
n n 

of "chosen plain-text attacks", and, most important of the three, 

H(M |C ) , the message equivocation. Since [U , C) is a s.s.c. we already 
n n 

know a lot about its own equivocations, H(K*)c ), H(K*|U ,C ) and 

n n n 

H(U |C ) ; cf. /1,2,7/. Only the first will be needed. Its value is 
n n 



(1) H(K*|C ) = log A + Y P* n (T ) log - 



l Q n (u ) 



n £ r _n 



P* (u ) 
— r 

where A=A (P ,t , t 2 , . . . , t g ) =d !d 2 ! . . -d h I , h being the number of distinct 
probabilities appearing in P* , the first d^ times, the second d 2 times, 
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etc.; d +d +...+d =t; the r-summation is extended over all exact types 
12 h 

T in U ; u is any sequence in T ; the Q-summation is extended over 
r -r r 

all p.d.'s Q which are obtained by permuting the components of P* , 

including P* itself: these p.d.'s are only t!/A owing to ties in the 

components of P*; of course Q n is the memory less extension of Q over 

f/ n . The term log A is a constant; it is certainly non-zero for a strict 

ly homophonic cipher (one for which t5s + l) . The second term goes to 

zero and it is exactly zero when P* is uniform and A achieves its 

maximum value log t! (cf. also section 3). 

Some simple identities are helpful. For example: H (K* | C ) =H (K, J | C^) = 

=H(K|C )+H(J|K,C ) ,- as H(K*|C ) is known, it will be enough to compute 
n n n 

H(jlK,C ) and then use: 
n 

(2) H(K|C ) = H(K*|C ) - H(J|K,C ) 

' n n n 

Further: H(K,M IC )=H(K|C ) +H (M |K,C )=H(K|C ) because M is a deter 
n n n n n n n — 

ministic function of key and crvptogram; and also H(K,M |C )=H(M |C ) + 

2 ~r j n'n n n 

+H(K|M ,C ) . By comparision (cf. 12/): 
' n n 

(3) H(M |C ) = H(K|C ) - H(K|M ,C ) 

n n n n n 

Now we deal directly with H(J!K,C ) and H(k|m ,C ) 
2 ' n 1 n n 

Theorem 1 . 

H(J|K,C n ) = H(J) = J log t ! 
Proof . Assume (k,j) and (k,i) are two extended keys for the s.s.c. 
(V , C) with the same actual key k. With respect to each other these 
keys only scramble equiprobable homophones relative to the same message- 
alphabet letter. Therefore, for any cryptogram c, Prob{C n =c | K*= (k, j ) } = 

Probfc =c | K*= (k, i) } . This means that C and J are conditionally indepen 
n ~ ' n — 

dent given K, and therefore H ( J | K ,C ) =H ( J | K) . But we already know that 

J and K are independent, so H(J[K)=H(J). To complete the theorem, recall 

that J is a uniform r.v. with t^t^-.-t 1 values, QED 

In theorem 2 the r-summation is extended over all exact types 

in f/ n and h.=h {- ) is the number of distinct letters a . which do not 
i i r i] 

occur in the sequences of T , 1SiSs, 0£h £t , Vh <t-1 . 

r i i l 

Theorem 2 ■ 

H (K | M ,C ) = XP* n (r ) riog(7h.)l - Ylogh.fl 
nn j r-^x L i- 

The non-zero teres in the summation are those for which at least two 
h^'s are positive, that is, at least two unequivalent homophones are 
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missing. 

Proof . Assume that a couple message-cryptogram, m, c, is given of pos 

itive joint probability. Let us try to reconstruct the key, which is 

a sequence in A*~ : e.g., if a and c are letters in the same position 

in the given couple, a^ is the j-th component of the key. However, gaps 

might be left because letter a. might not occur, or it might occur in 

correspondence to less than t distinct cryptogram letters. If h^ denotes 

the number of times letter a. is missing in the partially reconstructed 

key, the number of possible keys left is ( Vh . ) ! /h ' h ' . . .h !. Because 

L l 1 2 s 

of symmetry each such key has the same conditional probability, and so 

H(K|M =m, C =c) = log(Vh.)! - Vlogh.! 
n— n— L x '- l 

Note that the integers h can be computed directly from the extended se 

quence u output by the extended source, h. being simply the number of 

distinct letters a. . which do not occur in u. Note also that the set 
ID 

of u-sequences with given integers h. is a union of exact types. There 

fore, grouping together u-sequences in the same type: 

H(K|M ,C ) = yp* n (T )riog([h.)! - Vlogh.fl 
' n n £ r - x L x - 

Clearly the quantity inside square brackets is zero only when at most 

one h is positive. This proves the last statement in the theorem. QED 

Note that the key-appearance equivocation is zero only for t=2, 
and then the homophonic cipher is also a s.s.c. (s = t=2). 

Now (1) , (2) and (3) , together with the two theorems, give the 

exact values of the equivocations H(k!c ), H(KiM ,C ) and H(M |C ). 

n ' n n n n 



3 . Asymptotic results . 

It will be shown now that the key-appearance equivocation 

H(K|M ,C ) becomes negligible with increasing message length n. 
n n 

Therefore for large n's both H(KiC ) and H(M jc ) are approximately 

n n n 

equal to the constant term 
log A - V^log t ! 

("unremovable uncertainty"); cf. also the observations below formula 
(1). Note that the factors d. which appear in the definition of A (cf. 
again (1)) are made up summing one or more t. 's bacause equivalent 
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homophones have all the same probability. So, as it should be, the 

unremovable uncertainty is non-negative. It is zero when only equiva 

lent homophones are equiprobable (the numbers d^ and the numbers t^ 

are the same up to their order) . 

Now we investigate the behaviour of H(K|M ,C ) as a function of 

n n 

n. To extend the validity of theorem 3 below to the case t=2, when 

H(k|m ,C ) is zero, we adopt the (natural) convention that a term of 
n n 

the form expfnl -=»-t-e I ) , lim e =0, means zero. We set 
- n- J n n 

D=D(P,t „,t , . . . ,t )= min., (p . /t . +p./tj £ 1 (D=1 if and only if s=t=2) . 
12 s 1 £Kf is l i f f 

Theorem 3 . 

H(K|M ,C ) = exp{n!"iog(1-D)+e "I } , lim z =0 
n n — n- ' n n 

Proof . Take t£3. We start with the obvious bounds: 

log 2 l?* n (T ) < H(K|M ,C ) S log(t-1)! [P* n {T ) 
^ r n n r ^ 

the summations being restricted to types which correspond to non-zero 
terms in the summation of theorem 2. Denote by M(i,j;f,g) the set of 
J/ n -sequences such that a. . and a,, are missing in them; 1Si<f£s, 

13 fg 

ISjSt^, 1£gSt_.; M(i,j;f,g) is a union of exact types. One has: 

£p* n (r ) = p* n (\jr ) = p* n (u«(i,j;f,g)); 

r r r r 

the sets in the latter union, which is not disjoint, are no more than 

(^l Rt-1) f| 2 . One has also: 

P* n (W(i,1;f ,1) ) = P* n (M(i,j;f ,g) ) = ( 1 -p^ -p* ) 1 -p^t^.-^ /t f ) n 
Assume that D is achieved, say, for i=1, f=2. Then: 

P* n (M(1 ,1 ;2,1) = (1-D) n > P* n (M(i, j;f ,g) ) 

and the bounds for H(k|m ,C ) can be relaxed to: 

n n _ 

log 2 (1-D) n <H(K|M ,C ) < ( |°) | (t-1 ) ! | log (t-1 ) ! ( 1 -D) ° 
1 n n 2 - - 

This ends the proof. QED 

Observe that the proof of the theorem implicitly gives asymptotically 
tight bounds for which are independent of P(tS3): 

n~ 1 log log 2 < < n~ 1 log{ (^> Rt-1 ) f| 2 log(t-1)'} 

The parameter D which appears in theorem 3 does not coincide with 

the corresponding parameter obtained by Dunham /2/ for the key appear 

ance equivocation H(K*|u ,C ) of the s.s.c. {U , C) . He proved that 

n n 

H(K*|o ,C ) =exp{n | log ( 1 -6) +e |}, lim I =0, where 5 is the sum of the 
n n n-' ' n n 

two smallest components of P*; since these components may be relative 
to equivalent homophones , one has DSD . 
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The asymptotic behaviour of H(K*|C ) is well-known (cf. /1, 7/), 

n 

and so we have all we need. We shall write down explicitly the asym 

ptotic formula for HfM^JC^), the most complex (and in a way the most 

relevant) of the three equivocations: 

H(M |C ) = H(K|C ) - H(K|M ,C ) = log A - Tlog t ! 
n n n n n 1 

+ exp{n | log ( 1 -B) +5 \\- expln I log ( 1 -D) +£ |}, lim 6 = lim e =0 
- n- ' — n- ' n n n n 

B=B (P,t ,t_ , . . . ,t ) is defined as min (/p . /t . -/p /t.) , the minimum 
1 ■£ s 1 i j j 

being taken over all distinct P*-probabilities , 1£i,j5s, Pj/t^Pj^ j ' 

B is set equal to 1 for P* uniform , so that the corresponding expo 

nential term becomes zero. Of course, if B<D, one can write the message 

equivocation as : 

H(M |C ) = log A - Tlog t.! + exp{ n flog ( 1 -B) +6 ~! } , lim 6'=0, 
n n i ri - 1 n- J nn 

while, if B>D, one has instead: 

H(M |C ) = log A - Tlog t.! - expj n flog ( 1 -D) +e r | } , lim e'=0. 
n n L x r l i_ ^ n- u n n 



4 . Final remarks . 

At the beginning of section 3 it has already been pointed out that, 

for large message lengths n, both the key and the message equivocation 

are approximately equal to the "unremovable uncertainty" log A-£log t^SO. 

The condition for the unremovable uncertainty to be zero is that only 

equivalent homophones are equiprobable . An advantageous situation is 

found instead when P* is uniform (all the homophones are equiprobable) ; 

then the homophonic cipher is said to be matched (cf . /5/) and the un 

removable uncertainty equals log t!-£log(tp. ) ! , tp . integers. In prin 

ciple, when the components of P, the p.d. of the message source, are 

rational, one can always achieve P* uniform for a sufficiently large 

cryptogram-alphabet size t; however, alphabet extension runs counter 

to complexity requirements (it also leads to the growth of the term 

£log t^ 1 ). Once a threshold T>s is given, always assuming that the 

cipher will be used for a long time, one should judiciously choose 

the parameters t,t.,t ,...,t , sStST, in order to achieve a large un 
i 2 s — 

removable uncertainty. Were it not so, the performances of the homophonic 
cipher might even be worse than those of the s.s.c. (A, A) for the same 
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message source, for example when equal probabilities p^ and p^ are split 
to give distinct probabilities P^/t^ and p_. /t ^ , so that letters a^ and 
a^ become statistically distinguishable only in the case of the homo 
phonic cipher. 

Assume a cipher system (K,M , C ) is given. We call two keys k and 

-1 n -f 

h indistinguishable when T (c) =T (c) for all cryptograms c, of any 
_ 1 

length (T ( • ) denotes the cryptogram-to-message transformation deter 
mined by key k; note that in the case of a homophonic cipher the me£ 
sage-to-cryptogram transformation ( • ) is not deterministically de 
fined) . The spy (and also the authorized receiver, for that) is inter 
ested only in the equivalence class of indistinguishable keys to which 
k belongs, rather than in k itself. Sometimes the extended key, K*, has 
been misinterpreted as the "true" key of a (strictly) homophonic cipher. 
If one neglects the fact that distinct extended keys with the same 
actual key are indistinguishable, one is lead to give over-optimistic 
evaluations of the cipher's performances. In particular, the negative 
term -£log t^!, which appears both in key and message equivocation, is 
ignored. Our description of the various types of "keys" in terms of 
suitable exact types makes it transparent why the "true" key of a homo 
phonic cipher is precisely the actual key, K. Distinct actual keys are 
always distinguishable. 
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1. Introduction 

The Data Encryption Standard, in short DES, is NBS' cryptographic stan- 
dard for the protection of commercial computer data (PIPS, 1977). Since 1981, 
it is also an ANSI standard. In the meantime, it is called DEA by ANSI (ANSI, 
1980), and it is yet in use in many industrial applications. Recently it has been 
proposed to become an ISO (International Standard Organisation) standard under 
the name of DEA1 (ISO, 1983). 

There exist several reasons to explore the internal structure and the functional 
properties in the DES. 

1. It can help to understand the DES. Remark that the design criteria of 
the DES are still classified (Bernhard, 1982). 

2. A better understanding of DES can have two consequences: on the one 
hand, the detection of weaknesses can speed up a cryptanalysis attack. 
The detection of inherent strengths will on the other hand simplify the 
task of defining new standards when they will be needed. 

3. The structure can be used in order to simplify or to speed up hardware 
and software implementations. 

To achieve the proposed goals, we first overview (Section 2) the technical 
description of the DES as it appeared in the NBS publication. The reader, who 
knows the NBS description of the DES, can skip Section 2. As the full description 
of all functions in the DES is very long, we refer to the literature (FIPS, 1977; 
Konheim, 1981; Meyer & Matyas, 1982; Morris & al., 1977) for these functions. 

In Section 3 general properties in the 5-boxes and in the key scheduling will 
be combined. 

We analyze several functions in order to combine their properties. As a 
consequence this can be used to find different cleartexts for which the function / 
in DES gives the same output. These results can also be used to analyze the key 
clustering in DES. It means to verify if there exists different keys which gave for 
most cleartext the same ciphertext. 

2. NBS description of the DES 

The DES algorithm, as described by NBS (FIPS, 1977), consists of three fun- 
damental parts: enciphering computation, calculation of f(R,K) and key schedule 
calculation. They are are briefly described below. 

First observe that several boxes are used in the DES algorithm. It would be 
a too long explanation to give the details of all these boxes; it can be found in 
the NBS description. The kind of boxes (e.g. permutation) will be mentioned. 
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Remark that the input numbering starts from 0 for some boxes and from 1 for 
the other ones. 

In the enciphering computation, the input is first permuted by a fixed per- 
mutation IP from 64 bits into 64 bits. The result is split up into the 32 left bits 
and the 32 right bits, respectively, this is L and R. Then a bitwise modulo 2 sum 
of the left part L and of f(R, K) is carried out. After this transformation, the left 
and right 32 bit blocks are interchanged. Observe that the encryption operation 
continues iteratively for 16 steps or rounds. In the last round, no interchange 
of the last obtained left and right parts is performed; the output is obtained by 
applying the inverse of the initial permutation IP to the result of the 16-th round. 

In the calculation of f(R,K) the 32 right bits are first expanded to 48 bits 
in the box E, by taking some input bits twice, others only once. Then a bitwise 
modulo 2 sum of the expanded right bits and of 48 key bits is performed. These 
48 key bits are obtained in the key schedule calculation, which will be explained 
later on. The results of the modulo 2 sum go to the eight S-boxes; each of these 
boxes has six inputs and four outputs. The S-boxes are nonlinear functions. The 
output bits of the S-boxes are permuted in the box P. 

Let us finally describe the key schedule calculation. The key consists of 64 
bits, of which 56 bits only are used. The other 8 bits are not used in the algorithm. 
The selection of the 56 bits is performed in box PCi , together with a permutation. 
The result is split into two 28 bit words C and D. To obtain the 48 key bits for 
each iteration, the words C and D are first left shifted once or twice. A selection 
and a permutation PC 2 are then applied to the result. The output of PC% is the 
48 bit key word which is used in f{R, K). An additional table tells the user how 
many shifts must be performed to obtain the next 48 key bits of the key for the 
following round. DES can be used in four modes (FIPS, 1980; Konheim, 1981). 

3. Propagation characteristics 

We first analyze the new properties, which we observed in the expansion 
phase, the S-boxes and the key scheduling. We combine our results with older 
ones (Davio &c al., 1983) in order to discuss the non-substitution property in / 
and the key clustering in DES. Let us first discuss the importance of the fact that 
/ is not a substitution and of the key clustering. 

3.1. The importance of the propagation characteristics 

If / is not a substitution the cardinality of the image play an important role 
in the evaluation of the security of DES. Indeed if the image of / contains only 
one element, the DES is completely linear. More generally, if the cardinality of 
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the image of / is small DES may be insecure. 

If there exist a key clustering in DES, it may be that for a large amount 
of cleartexts the effect of modifying the key on a special way do not affect the 
ciphertext. If this is true for DES it simplifies enormously an exhaustive attack. 

3.2. The expansion phase 

The expansion phase plays a very important role in this section. 

3.3. The S-boxes 

3.3.1. An introduction 

We observed several new properties in the 5-boxes. Most of our new prop- 
erties are valid for all 5-boxes and are consequently called "general properties". 
In the following sections some of these properties are used in order to analyze in 
which measure / is not a substitution and to analyze the key clustering. We did 
not apply all general properties in the following sections; perhaps in the future 
one will be able to explain why the 5-boxes have these properties or to use them 
in some deeper analysis of DES. 

Two kinds of properties are discussed. In the first kind we fix some input 
bits of the 5-boxes (1,2, ... , or 5 of the 6 possible bits). We are interested in 
what changes are propagated at the output and how? E.g. for the output one 
can wonder if the 4 output bits are always be distinct if we change the non-fixed 
input bits, or if for some inputs the output is not affected. Secondly we discuss 
how the output changes if we complement some input bits of the 5-boxes. 

We number the inputs of one 5-box by abcdef. We number the 5-boxes from 
1 to 8 and denote them as 5,-. Remark that representations of the 5-boxes, other 
than in the NBS norm, may be useful (Davio & al., 1983). 

3.3.2. Properties of the 5-boxes if some input bits are fixed. 

The inputs a, b, e, f of the 5-boxes play a special role in DES. Indeed one half 
of the message input bits in each round influences two 5-boxes. These bits will go 
to the mentioned input bits. These bits will play an important role in the analysis 
of the non-substitution property of the function / in DES. The next properties 
draw special attention to the mentioned input bits. The following properties 
can however easily be generalized. One can easily verify them using a computer 
program. 

We number the properties by a double numbering technique, such that it is 
easy to refer to them. 

1. The observed properties hold for all 5-boxes. We analyze if the output 
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of an S-box can or cannot change if one modifies the inputs of an 5-box 
in the following way: 

(a) fix the inputs e and / 

(b) one is allowed to change c and d to an arbitrary value c' and d' 

(c) one changes the inputs a and 6 as described in the properties 

1.1. -(Vc, d, c', d>, e, f : 5,(0, 0, c, d, e, /) ^ #(1, 0, c', d', e, /)) 

1.2. -(Vc, d, c\ d', e, f : 5,(0, 1, c, d, e, f) # 5<(1, 1, c', d',e, /)) 

1.3. Vc, d, c', d', e, f : 5,(0, 1, c, d, e, /) # 5,(1, 0, c', d', e, /) 

1.4. Vc, d, J, d', e, f : 5,(0, 0, c, d, e, /) # 5,(1, 1, c', d', e, /) 

Remark: One can wonder why e.g. Sj(0,0,c,<2, e, /) was not compared 
with 5,(0, 1,<^ ,d' ,e, /). This property is already known, indeed it is 
known (Konheim, 1981) that each row (see NBS notation) of each 5-box 
is a permutation. In other words Si(a,b,c,d,e, f) ^ 5j(a, b' ', d ', d! , e' , f) 
independent of b, c, d, e, b', c' t d', e'. The properties described here are in 
fact a generalization of it. 

2. The observed properties hold for all 5-boxes, except property 2.4. We 
analyze if the output of an 5-box can or cannot change if one modifies 
the inputs of an 5-box in the following way: 

(a) fix the inputs a and b 

(b) one is allowed to change c and d to an arbitrary value c' and d! 

(c) one changes the inputs e and / as described in the properties 

2.1. -.(Va, b, c, d, J, d' : Si{a,b,c,d,0,0) £ Si{a, b, c',d', 0,1)) 

2.2. -i(Va,b,c,d,c',d' : 5i(a,6, c,d, 1,0) ^ 5<(a,6, c', d', 1, 1)) 

2.3. -i(Va, 6, c, d, c' , d' : 5,(a, 6, c, d, 0, 1) ^ 5,(a, 6, c', d', 1, 0)) 

2.4. If i ^ 4 then: 

-(Va, b, c, d, c', d' : 5,-(a, 6, c, d, 0, 0) + 5,(a, 6, c', d', 1, 1)) 
If i = 4 then: 

Va, b, c, d, c', d' : 5,-(a, 6, c, d, 0, 0) ^ 5,-(a, 6, c', d', 1, 1) 

Remark The properties 1.3 and 1.4 change if one also allows that the input 
e changes to the input e'. Then it will be possible to find identical outputs for 
special inputs. A similar remark is true for property 2.4 (i = 4) if one allows that 
the input b changes. 
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3.3.3. Complementation properties of the 5-boxes 

A well known (Hellman & al., 1976) property for the 5-boxes is that if one 
complements one input of an 5-box at least two output bits will change. We 
analyze the effect of complementing two input bits, while leaving the other ones 
unchanged. It is evident that one can easily generalize our properties for the case 
that 3 or more bits are complemented. The first aim was to observe whether it is 
possible to maintain a constant output if only two bits are complemented. First 
observe that in order to maintain a fixed output one has to complement bit a 
or /, otherwise we conflict with the permutation property of the "rows" in the 
5-boxes. For special abode f inputs the output of an 5-box remains unchanged if 
one complements two of the input bits. 

It is remarkable that only if ab is complemented we have that the output for all 
5-boxes changes. This is however very easy to prove starting from our properties 
1.3 and 1.4 of the previous section. In a similar way one can use properties 2.3 
and 2.4 to prove the above conclusion for complementing ef. 

3.4. The key scheduling 

In our analysis of the key clustering we used in detail the key scheduling in 
DES. The ideas of Neutjens on the key scheduling in DES were very useful in this 
context (Neutjens, 1983). We now overview them and explain them systematically. 
We number the 56 key bits from 1 to 64 as in the NBS description (FIPS, 1977). 

First of all remark that after PC\ one can split up the key scheduling in DES 
completely in two parts. PC 2 does not affect this decomposition (Davio & al., 
1983). As a consequence of this decomposition, one can separate for one round in 
DES the selection of the key bits which will influence the first 4 5-boxes and the 
last 4 5-boxes. Let us now construct the equivalent scheme. All used notations, 
e.g. the registers C and D, originate from the NBS representation of DES. 

We represent the register content of C by (ci, c 2 , c 28 ) and that of D by 
{di,d,2, ...,d,2 & ). Mostly in the key scheduling the registers C and D are shifted 
twice to obtain the if, of the I th round, e.g. (ci, c 2 , C3, c 2 g) is transformed into 
(C3, c 4 , C5, c 2 ). This can now be reformulated for the C register as one shift 
on the following two registers (ci , c 3 , c 5 , C27) and (c 2 ,c 4 , c 6 , ...,c 28 ). We call 
them respectively the odd and the even registers. One can then realize the key 
scheduling with 4 registers instead of two, which shift only once when in the NBS 
the registers shift two times. This reorganization affects the PC 2 . 

One has now still to discuss what happens if only one shift is performed on 
C and D as in the iterations 1,2,9 and 16 using our equivalent representation. 
The first shift in the first iteration can be realized together with PC\, In the 
other situations we interchange the content of the odd and the even registers, 
by performing first a shift on the old content of the odd register and no shift 
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on that of the even register. We then change also the name of each register: 
odd becomes even, even becomes odd. Indeed (ci, C3, C5, C27), (c-2, C4, ce, 
c 2 &) is then changed into (02, c 4) ce, C2s), (C3, C5, C7, cj). One can verify that 
previous operations are identical to one shift in the NBS notation. 

The register D can be treated in a similar way. Remark that it is more 
difficult to perform one shift in the NBS representation. However we are able to 
see better which bits of the key affect a particular 5-box. 

Let us now apply all the described properties. 

3.5. The function / is not one-to-one for fixed K 

Let us remember here that / consists of the expansion box E, of the EXOR- 
ing with the key bits, of the 5-boxes and of the permutation P. It has sometimes 
been wondered whether the / function is by itself a substitution. The answer to 
that question is negative (Davio &; al., 1983; Konheim, 1981). A more systematic 
discussion is given in this section. 

We will now use the properties described in section 3.3.2. to demonstrate 
how they can be used in the analysis of the non-substitution of /. Evidently we 
assume that the key K is fixed. We analyze which bits of the message part R 
(see NBS notation) one must change in order to maintain the same output of /. 
We will progressively increase the number of changed bits. First we only change 
the inputs (or message part of the input) of one, two and then three 5-boxes 
and generalize afterwards. We will mostly use the new as well as the well known 
(Hellman & al., 1976; Konheim, 1981) general properties of the 5-boxes, together 
with the structure of E (Davio & al., 1983). 

Theorem 1 : If for fixed key, one only changes the input of one 5-box the 
output of / will change. 

Proof : In order not to affect the inputs of the other 5-boxes one can only change 
the inputs c and d. However if a and / are not changed an 5-box forms a substi- 
tution, 
o 

Theorem 2 : If for fixed key, one changes only the input of two neighbourhood 
5-boxes the output of / will change. 

Proof : Let us call the two affected 5-boxes, 5,- and 5 1+1 and let us define 5g as 
being 5j (this again shows that it can be more interesting to start the numbering 
from 0, see (Davio & al., 1983)). In order not to affect the input of 5,-_i the 
inputs a and b of 5 t - may not change and similarly for the inputs e and / of 
5,- +1 in order not to affect the inputs of 5, +2 . In order not to conflict with 
the permutation properties of the "rows" of the 5-boxes and using the previous 
remark, at least / in 5,- must be complemented in order to maintain a fixed 
output. A similar remark is true for the input a of Si+\. As consequence of the 
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expansion box E a complementation of the input e (respectively /) of 5,- is equal 
to a complementation of the input of a (respectively b) of 5, + i. So in order to 
produce a same output we have at least to complement a and 6 in 5j + i. Remark 
that the inputs c and d in 5,- +i do not influence the proof. In other words even if 
one additionally changes the inputs c and d in 5,+i or do not, the output of Si+i 
will change, by virtue of property 1.3 and 1.4 of the 5-boxes. 
o 

Theorem S : If for fixed key, one changes only the input of three neighbour- 
hood 5-boxes the output of / will for some inputs remain identical, only if one 
complements at least the inputs a, b and e of the middle of the three 5-boxes, the 
input c or d of the last 5-box and if one does not complement the input / of the 
middle of the three 5-boxes. 

Proof : We call the three S'-boxes 5»_i, 5,- and 5,- +1 , 5 0 is equal to 5s and 5 9 
equals Si. The proof is for a large part similar to that of theorem 2. Let us first 
give the similar part of the proof. 

We must fix the inputs a and b of 5, i _i, and e and / of 5,- + i. The input / of 
Si-i must be complemented and similarly for the input a of 5 { - +1 . This last con- 
dition is equivalent to saying that the inputs b and e of 5,- must be complemented. 
Now we apply the consequences of theorem 2 to continue our proof. 

If a and b are both complemented in 5,- + i, the output will change (see proof of 
theorem 2 or properties 1.3 and 1.4 of the 5-boxes). Using previous observations 
the input b in 5,- + i may not be complemented, or equivalently / in 5,-. At this 
moment we already know that for 5,' b and e must be complemented and / may 
not. Because each row in the 5-boxes is a permutation and because / may not 
be complemented in Si, a must be complemented in 5,-. Remark that in fact one 
must still complement bit c or d in 5 t '+i- Indeed if only one input bit in an 5-box 
is complemented, the output changes, 
o 

We have now proven the theorem. It is now very easy to generate in a 
systematic way several examples for which the function / remains constant even 
if some bits are complemented. 

3.6. The key clustering 

We analyze the clustering from the point of view that DES contains j rounds, 
where j is between 1 and 16. The input for these j rounds is fixed, while we 
complement or change some bits of the key. So if we speak now about an input 
of an 5-box, this input is related to a modification of the key. 

We first prove some general theorems for the key clustering, and afterwards 
we give some examples. 
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3.6.1. A general approach 

First of all for a fixed input the permutation IP has no influence on the key 
clustering. We can start the analysis from L a and R a . This means that if we are 
interested in a complete DES analysis s = 0 and j = 16. Let us now apply DES 
with the key K and K' and call the subkeys K x till K 16 and K[ till K[ 6 . The 
key K will produce some L and R register content, while K' produces V and R' . 
The effect of the first of the j rounds is that in the case we use the key K we 
have L a+1 = R a and R»+i = L a ® f(R a , K a+i ). Applying the key K' we obtain 
L' a+l = R„ and R' s+1 = L„ © f(R a ,K' a+1 ). After t rounds we obtain using key 
K the register contents L a+t = R s+t -i and R a+t = £, + t-i © f{R»+t-i,K»+t)- 
Using the key K' we have: L' a+t = R' a+t _ x and R' a+t = ^ + t-i n K i+t)- 

Remark that in general by changing the key the contents of the registers L and 
R change too. Let us now call H a+t = f{R a+t -i,K a+t ) © f{R s+t _ lt K' s+t ). It 
is now easy to see using (Davio & al., 1983) that the global effect of a change in 
the key has no final effect on the ciphertext if the two following conditions are 
satisfied together. 

1. ifs+i © H g+ z ® Hs+5 © — © #« = 0, where t = s + j if j is odd, else 
t = s + j-l. 

2. H a+2 © H a+ 4 © © — © .flu = 0, where u = s + j if j is even, else 

U = 3 + j — 1. 

Using previous conditions it is now easy to analyze the conditions necessary 
for key clustering if one analyzes only 1, 2, 3 or 4 rounds. The analyze of more 
rounds seems to be more difficult if one want to have a complete analysis. 

3.6.2. An analysis of the key clustering in a DES with 1 or 2,3 or 4 
rounds 

In the case 1 round is considered we must have H a +i = 0. This means 
f(R a , K a+ i) — f{R„, K' s+1 ). Using previous knowledge on the 5-boxes this means 
that the input of an 5-box is not changed or that at least two bits change. It is 
very easy to generate several examples for this case. Using the fact that E is an 
expansion of 32 bits to 48 bits and its structure (Davio & al., 1983) and because 
PC? selects only 48 bits out of the 56 bits of the key we have the following result. 
For each (cleartext,ciphertext) pair in a one round DES there exist exactly 2 24 keys 
which generate the same (cleartext, ciphertext) pair starting from a fixed cleartext. 
If a similar remark remains true for the complete DES algorithm (16 rounds), 
DES is very easy to break using a simplified exhaustive attack. Let us therefore 
start to analyze more rounds. 

In the case 2 rounds are considered we must have H s +i = 0 and H a +2 = 0. 
This means f(R 3l K a+X ) = f(R a ,K a+l ), as in previous case, and additionally 
f(R a+1 , K s+ i) = f{R a+ i, K' 3+l ), because from the first equality we have R' a+1 = 
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Rs+i. Remark that the £ '-boxes must satisfy similar conditions as in the case only 
one round was considered. However to satisfy it for the two rounds together we 
must take the key scheduling in DES into consideration. We now give a simple 
example of it. 

Example 1. If one complements the bits 3 and 44 (in the NBS notation) of 
any 64 bit key, then there exists 6.2 59 pairs of (cleartext, ciphertext) which remain 
identical during round 1 and 2 in DES. In other words, 1/5 of all pairs (cleartext, 
ciphertext) are not affected by the complementation of 2 bits of the key, during 
round 1 and 2. 

Let us now explain what happens and how one can calculate the (cleart- 
ext,ciphertext) pairs. The bits 3 and 44 go both after the key scheduling in the 
first round to 5 3 and become there the inputs a and e. We can verify that for 6 
out of 32 (or 12 out of 64) possible inputs a complementation of a and e in £3 
does not change the output. This means that the possible inputs for which the 
above property is true are restricted from 2 64 to 6.2 59 . The cardinality of the set 
of cleartext for which the explained clustering is satisfied is independent of the 
used key. However the set of cleartext for which the above clusering changes if 
other keys are considered. This is a consequence of the structure in the function 
/. Now we must still analyze which restrictions the second round imposes on the 
possible cleartext. The analysis in this example is straightforward because the 
key bits 3 and 44 are not selected in the second round, so no extra condition is 
necessary. 

One may observe that we were lucky in the construction of the previous 
example. First the non-selection of the key bits in the second iteration seems to 
be lucky. Secondly example 1 is only valid for rounds 1 and 2 in DES. In the 
following example the reader can observe that similar examples can be given for 
all rounds and that the non-selection of some key bits is not necessary. 

Example 2. This example is true for most consecutive rounds. As a con- 
sequence of the ideas of Neutjens on the key scheduling (see section 3.4), two 
consecutive rounds can mostly be analyzed systematically (Neutjens, 1983). This 
is true if one uses two shifts in the key scheduling, as represented by the NBS, 
to move to the next round. This means the rounds 2-3, 3-4, 4-5, 5-6, 6-7, 7-8, 
9-10, 10-11, 11-12, 12-13, 13-14 and 14-15. In order not to affect the generality 
we will use a more general descriptions of the property. If one complements the 
two bits of the key which will "arrive" in S-bax 4 at locations a and e during 
the first of the two above rounds, then for every key there exists 36. 2 54 (or about 
1/29 of all possible) pairs (cleartext, ciphertext) which remain identical during 
two consecutive rounds mentioned earlier. This can be analyzed using the ideas 
of Neutjens on the key scheduling (Neutjens, 1983) and using our properties of 
the S-boxes. 

Let us now consider three consecutive rounds. First more restrictions on the 
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cleartext are then imposed in order not to affect the ciphertext if one modify the 
key. This is a consequence of the key scheduling. However the output of the 
function / in the first and last (of the three) rounds must no longer be constant 
(see section 3.6.1). This relaxes the imposed restrictions. Let us give a short 
example to illustrate it. Remark the authors have yet generalized this example, 
but this is out of the scope of this paper. 

Example S The three consecutive rounds may be 2-3-4, 3-4-5, 4-5-6, 5-6-7, 6- 
7-8, 9-10-11, 10-11-12, 11-12-13, 12-13-14 and 13-14-15. Hereto one complements 
(e.g.) three bits of the key. In our example the key bits must "arrive" at location 
a and d in S-box 8 in the first round (of the three consecutive) and at location d 
in S-box 4. We impose the extra condition that bit 15 of the output of / (after 
the box P) must be complemented in the first and last round as consequence of 
the modification of the key. We can then analyze that for 50% of the keys and for 
1 on 1024 cleartext, the ciphertext is not modified. For the other 50% of the keys 
this happens for 1 on 4096 cleartexts. 

4. Conclusions and perspectives 

A cryptographic system can only be considered secure if a small modifica- 
tion in the cleartext and/or in the key strongly affect on a non-linear way the 
ciphertext. We described techniques for analyzing this constraint for DES. We 
found that if DES had only a few rounds it would be a bad system. Our analysis 
demonstrated at the same time that the known probalistic test done on DES are 
insufficient to conclude that the scheme is secure. Were it possible to work out 
on a 16-round DES the techniques presented here one could possibly prove the so 
often alleged existence of a key clustering in DES. 
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Abstract 

A construction is given for perfect linear ciphers that uses two digits 
of key per plaintext digit, which appears to be the minimum possible. 
The construction utilizes two shift-registers that are clocked at dif- 
ferent speeds, and suggests a new type of random sequence generator in 
which two linear feedback shift-registers are clocked at different 
speeds and their contents combined at the lower clock rate. The effects 
of variable speed are analyzed, and the linear complexity of the se- 
quences produced by such generators is determined. 
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1 . Introduction 

We begin this paper by considering how much key is required in a per- 
fect linear cipher. We show in Section 2 that two digits of key per 
plaintext digit suffice, and we conjecture that this much key is also 
necessary. The perfect linear cipher constructed in Section 2 utilizes 
two shift -registers that are clocked at different speed, a "trick" that 
we have borrowed from convolutional coding lore. 

The perfect linear ciphers of Section 2 suggest a promising structure 
for random sequence generation, which we propose in Section 3j that 
utilizes two linear feedback shift-registers (LFSR's) clocked at differ- 
ent speeds. In Section 4, we investigate analytically the effects of 
such variable speed in LFSR's. These results are then used in Section 5 
to determine the linear complexity of the sequences produced by the pre- 
viously suggested random sequence generator. We close the paper with 
some additional observations and suggestions for generalizations. 

2 . Perfect Linear Ciphers and Convolutional Codes 

Suppose that one wishes to use a ciphering system of the additive type 
in which the ciphertext digit y. is determined by the plaintext digit 

J 

x. in the manner (reminiscent of a stream cipher) that 

J 

yj = x. + z . j - 0,1,2,... (1) 

where the digit z. is determined in some prescribed manner by the key K 
and the previous plaintext digits. £aH digits and operations are as- 
sumed to be in F , the finite field of q elements, unless specified 
otherwise.^] Suppose further that, for whatever reason, one demands that 
the enciphering be linear in the plaintext with memory M so that 




where the coefficients c.(j,K) depend both on the time instant j and 
the key K. (We suppose that the initial conditions x_^, x_,,,..., 
required in (2) are dummy plaintext digits that may be chosen as con- 
venient.) Suppose finally we demand that the enciphering be perfect in 
the sense that, for some appropriate probability measure over the keys, 
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one has, for every choice of B in F^ and every j 0, 

Pr(z. = B| Zj . 1 ,...,z Q ,x._ 1 ,...,x 0J ..., X _ M ) = i (3) 

In other words, we require that, for each allowable plaintext sequence, 
the additive sequence z^,z^,z^, . . be a completely random q-ary sequence. 

From (2), it follows that 

Pr( 2j = 0|x j _ 1 = ... = Xj _ M □ 0) - 1 (4) 

so that perfect secrecy as specified by (3) is impossible without some 
plaintext restriction. From (4), we see that the least plaintext re- 
striction compatible with perfect secrecy in such a linear cipher is 

C x j-i' x j_ 2 ' * • • > x j-m1 * [0,0, ..,0], j =0,1,2,... (5) 

which we hereafter assume to be the only restriction on the plaintext. 
[For q - 2 and M = 1, we see that (5) implies x^. = 1, all j, so that 
no interesting system is possible; for all M > 1, however, the plaintext 
restriction admits interesting systems.]] 

We first make the quite trivial observation that perfect linear ciphers 
exist for every M and every F . One can simply choose the coefficients 
c^(j,K) independently at random from a uniform distribution over F ; 
the plaintext restriction (5) guarantees that one of the independent 
"key digits" will then appear with a non-zero multiplier on the right 
in (2) so that (3) will be satisfied. This perfect linear ciphering 
system, however, requires M digits of key for each digit of plaintext. 
This large key requirement appears quite unsatisfactory (particularly 
for large M as would be desirable to ease the restriction specified by 
(5)) when one reflects that a perfect one-time system (which is an 
additive cipher in which the additive sequence is itself the random key) 
requires only one digit of key for each digit of plaintext. The question 
we now pose is: What is the least amount of key (measured in digits of 
key per plaintext digit) required for a perfect linear cipher as spe- 
cified by (1), (2) and (3) with the plaintext restriction (5) ? We now 
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show that two digits of key per plaintext digit is always sufficient, 
and we conjecture that this much key is also necessary for all M 2. 

To prove our claim, we consider the specific linear cipher system shown 
in Fig. 1 consisting of a random key generator (whose outputs are inde- 
pendently chosen from a uniform distribution over F ) that drives a 

q 

shift-register that is clocked at a rate d times faster than the shift- 
register driven by the plaintext source. 



Plaintext 
Source 



Random Key 
Generator 







K 

j-M 








^dj-1 




r dj-M 





d-fold-speed shift-register 



Fig. 1: A perfect linear cipher system, conjectured to use a minimum 
of random key digits when d = 2. 

To show that (3) holds for the system of Fig. 1 under the restriction 
(5), consider at time j the leftmost non-zero digit in the upper shift- 
register, say x._.. From Fig. 1, we see that its multiplying coefficient 
c^(j,K) is just the random digit ^j.^- But, provided that d > 1 so that 
the lower shift-register is shifting faster to the right than is the 

upper one, it follows because r , . . has just come abreast of x. . at 

dj-i J-i 

time j that this same random digit at earlier time instants could have 
multiplied only digits that are to the left of x j_-j_ in tne upper shift- 
register. But, as all these latter digits must be zeroes, it follows 
that the earlier generated digits z._ 1 ,Zj_ 2 , . . • are all independent of 
r , . hence the fact that x. . r . . . with x. . £ 0 is a component of 
z. implies that (3) is satisfied, as was to be shown. The linear cipher 
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of Fig. 1 requires d digits of key per plaintext digit, and we have 
shown it to be perfect for all d >, 2. The least key, of course, is used 
when d = 2 . 

In fact, we have borrowed our answer to the linear cipher problem posed 
above from our earlier solution [l, pp. 19-21] to a problem in error- 
correcting codes. The problem there was to find the smallest ensemble 
of time-varying codes such that the codewords enjoy pairwise independ- 
ence — this coding problem is formally identical to the linear cipher 
problem, and our "double speed ensemble" solution to this coding pro- 
blem remains the smallest ensemble known to suffice. 

It is well known [z, pp. 68O-683] that the least amount of key required 
for perfect secrecy in any type of ciphering system is one key digit 
per plaintext digit (when the plaintext is irredundant ) . It would thus 
be interesting if one could prove that a perfect linear cipher requires 
at least two key digits per plaintext digit, as this would give some 
theoretical force to the rubric that "linearity is the curse of the 
cryptographer" . 

3. Variable Speed in Random Sequence Generation 

A perfect secrecy system of the additive type is of course an ideal 
random number generator, i.e., its additive sequence z Q ,z^,z^,... is a 
sequence of digits drawn independently at random from a uniform distri- 
bution over F . This suggests that the basic structure of Pig. 1 may 
be of use in random sequence generation. For this purpose, it is natural 
to replace the plaintext source of Pig. 1 by an M-stage linear feedback 
shift-register (LFSR) started in some non-zero state, as this automat- 
ically enforces the "plaintext restriction" (5) as well as introduces 
some element of pseudo-randomness. It is a natural next step to replace 
the random key generator of Fig. 1 by a second LFSR of length L(L 5. M), 
also started in some non-zero state but clocked at a speed d times that 
of the first LFSR to produce the pseudo-random sequence which further 
"randomizes" the "plaintext" to produce the desired "random" sequence 
ZqjZ^jZj,... The resulting random sequence generator is shown in Fig. 2 
Such a device might be used as a random number generator or as a key 
stream generator in a conventional stream cipher. 
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Fig. 2: A random sequence generator employing multiple speed 
shift-registers . 

In the following sections, we analyze the effect of the speed factor d 
on the sequence produced by the generator of Fig. 2. Our interest is in 
the new phenomena that result when the speed factor is treated as an 
additional variable in shift-register sequence generation. 

h. The Effects of Variable Speed 

The sequence r = r Q ,r^,r^,... of digits from F^ produced by the lower 
LFSR in Fig. 2 satisfies the homogeneous linear recursion 

r k + C l r k-1 + ••• + C L r k-L = 0 k O' 1 ' 2 "-- (6) 

(where k denotes the time instants of the high speed clock for this 
LFSR) whose characteristic polynomial is 

c(x)-x" J +cx' J "'"+...+c T . (7) 
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In what follows, we shall assume (mainly for analytic convenience) that 
c(x) is irreducible in F [x] . The roots of c(x) then lie in the ex- 
tension field F l, or GF(q L ) to use the more usual notation. Let a be 
a root of c(x), (which implies that c(x) is the minimum polynomial over 
GF(q) of a). Then, for every A in GF(q L ), the sequence f defined by 

r = Aa k k = 0,1,2, . . . (8) 



is a solution of (6) as can be seen by direct substitution; however, 
the digits in f lie in the extension field GF(q L ) rather than in GF(q) 
as required for r. One remedies this by introducing the trace operator 
which maps GF(q^) into GF(q) in the manner 

L-l i 

Tr(6) = I S q . (9) 
i = 0 

The trace is a linear operator with respect to the "scalar" field GF(q), 
i.e., for a 1 and a 2 in GF(q) and for & and B 2 in GF(q L ), 

Tr(a 1 6 1 + ^ 2 ^ 2 ) = a ] _ Tr(B ] _) + & 2 Tr(S 2 ). (10) 

It now follows from (10) that the GF(q) sequence r with 

r R = Tr(Aot k ) k = 0,1,2,... (11) 

is a solution of (6) for every A in GF(q iJ ). In fact, since each choice 
of A gives a different sequence r, (11) gives all the GF(q) solutions 
of (6), as there are exactly q L such solutions corresponding to the q L 
choices of the initial conditions r_- L ,r_ 2 , • • • in (6). It is con- 

venient to associate A with the corresponding initial state [r_^,r_ 2 , . . , 
r_J of the lower L?SR in Fig. 2. 

Now consider the sequence 

r [ d ] = " = >r .r .. (12) 



that appears at the input tap of the lower LFSH at the (slower) clock 
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times j of the surrounding logic. We see from (12) that r£d] i 
the d-th decimation of the sequence r and moreover that 



is just 



(rfd]) .=r^ = Tr(Act J ) . 



(13) 



It is illuminating to write (13) as 



(r£d]) .=Tr(Ag J ) 



(11a) 



where 



6 = a 



(14b) 



The period T of the original LFSR is the smallest positive integer t 

such that c(x) divides x t -l; equivalently , T is the multiplicative order 

L 2 T— 1 T 

of a in GP(q ) and thus a, a ,..,a ,a - 1 are the T distinct roots 

T 

of x -1. By proper choice of d (1 ^ d ^ T), it follows from (14b) that 

T 

6 can be selected as any root of x -1 and hence as a root of any monic 

T 

irreducible polynomial that divides x -1. The multiplicative order of & 
in GF(q ) will be T/gcd(d,T). The following proposition, which is a mild 
generalization of known results for the decimation of maximal-length 
sequences, is now an immediate consequence of (l4a). 

Proposition 1 : If the sequence r produced by an L-stage LFSR of period T, 
whose characteristic polynomial is the minimum polynomial over GF(q) of 
the element a, is observed at intervals of d clock cycles, then this 
observed sequence r [_dj is a sequence producible by the LFSR of period 
T/gcd(d,T), whose characteristic polynomial is the minimum polynomial 
over GF(q) of 3 = a Q . Moreover, every sequence producible by the latter 
LFSR is equal to r fdl for some choice of the initial state of the former 
LFSR. 

The practical import of Proposition 1 is that multiple-clocking provides 
a means by which a single LFSR with fixed feedback connections can be 
used to generate sequences that appear to be produced by LFSR' s with 
different feedback connections . We shall call the LFSR, whose charac- 
teristic polynomial is the minimum polynomial over GF(q) of 6 = a"% the 
LFSR simulated by the LFSR, whose characteristic polynomial is the mini- 
mum polynomial over G-?(q) of a, when the latter LFSR is shifted at d 
times the observation rate. 
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Now consider the sequence i^jjdj observed in the i-th stage of the lower 
LFSR of Fig. 2 at the slower clock times j of the surrounding logic. Then 

(r 1 ^] ) . = r . . . = Tr(Aa dj_1 ) 
_ J dj -l 

= Tr(Aa -1 S J ") (15) 

where 6 is given by (lUb). (Note that r[d] = r °[ d l-) From (15), we see 
that this sequence is again a sequence producible by the LFSR simulated 
by the faster-shifting LFSR. We now consider the relationship between 
the sequences observed in adjacent stages of the faster-shifting LFSR. 

If s = s^s^s,,,... is any periodic sequence, we shall call the sequence 

8 s = s , s . ,s the n-th phase of the seauence s. If s can be 
n n+l J n+2' - 

described as 

s. = Tr(Cy J ') j □ 0,1,2,.. 

J 

then it follows that 

(9 n s) j = Tt(CyV') J = 0,1.2,.. (16) 

so that the phase shift n can be read off by comparing the multipliers 
of in the trace descriptions. 

In general, the sequences r 1 ^], for i □ 1,2,..,L, will not be phase 
shifts of one another; rather, they will be "cyclically distinct" se- 
quences producible by the simulated LFSR. However, when gcd(d,T) = 1 
so that the simulated and simulating LFSR' s have the same period, the 
sequences r 1 [dj will be phase shifts of one another. To see this, we 
note that gcd(d,T) = 1 means that d has a multiplicative inverse e 
modulo T, i.e., there exists an integer e (1 s < e < T) such that 

de o QT + 1 

and hence 

D e de QT+1 
6 = a = a = a . 

In this case, we can write (15) as 
(r^dj) = Tr(Ae -i V) 



(17) 
(18) 
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The following proposition now follows from (18) and (16). 
Proposition 2 : When gcd(d,T) = 1, then the sequence r 1 fdj observed every 
d clock cycles in the i-th stage of an LFSR of length L and period T 
with an irreducible characteristic polynomial over GF(q) and non-zero 
initial loading is the e-th phase of the sequence r 1+ ^"[cQ observed 
every d clock cycles in the (i+l)-st stage, where e (K< e < T) is the 
multiplicative inverse of d modulo T. 

The practical import of Proposition 2 is that simulating an LFSR by 
multiple-clocking of another LFSR gives simultaneous access to widely 
separated phases of the sequence produced by the simulated LFSR , rather 
than only to consecutive phases as when this sequece is produced by the 
actual LFSR being simulated. 

Proposition 3 : The sequences r^dj, (i = 1,2,.., L), described in Propo- 
sition 2 are linearly independent over GF(q). 

To prove this propsition, it suffices to show that the initial constants 
AS 16 (i = 1,2,..,L) in the trace descriptions of the L sequences are 
linearly independent over GF(q) . If not, there would exist a^ (i = 1, 

2,..,L) in GF(q) not all aero such that a, B _e + a_B~ 2e + ... + a T S _Le = 0, 

e 

and hence 6 would be the root of a non-zero polynomial over GF(q) with 
degree less than L. But this is impossible since B e = a has a minimum 
polynomial of degree L. 

The practical import of Proposition 3 is that any sequence producible 
by the simulated LFSR can be obtained by a linear combination of the 
contents of the faster-shifting LFSR taken at the slower observation 
times. But this is not too surprising since any such sequence could also 
be produced by linear combinations of the contents of the actual LFSR 
being simulated. It does show, however, that no flexibility is lost when 
the LFSR is simulated by a faster LFSR observed under a slower clock, 
rather than directly implemented. 

5 • Linear Complexity of the Random Sequence Generator 

The linear complexity A(z) of a periodic sequence z is the degree L of 
the characteristic polynomial of smallest degree among those LFSR's that 
produce the sequence z, i.e., the length of the shortest LFSR that pro- 
duces z. Linear complexity is widely used in cryptographic analysis 
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despite its limitations as a "true complexity" measure for sequences. 
We now compute the linear complexity of the sequence z produced by the 
generator of Pig, 2 when the two component LPSR's have irreducible 
characteristic polynomials and relatively prime lengths L and M. 

As we shall be dealing with extensions GF(q n )'of GF(q) for different n, 
we shall denote the trace operator from GF(q n ) to GP(q) by T n so that, 
for y in GP(q n ) , 

n-1 i 

T ( Y ) = I Y Q - (19) 
i = 0 

We shall make key use of the following identity, which is of some inde- 
pendent interest . 

L M 

Lemma 1 : If y and <5 are in GF(q ) and GF(q'), respectively, where 
gcd(L,M) = 1, then 

T L ( Y )T M (5) = T LM ( Y 6). (20) 

T M T M 

Note that GF(q ) and GF(q ) are both subfields of GF(q ) so that the 
product in (20) of yS is well-defined in GF(q LM ). To prove (20), we first 
note from (19) that 

LM-1 i i 

T lm (y5) = I Y q 6 q • (21) 
i = 0 

L M 
Next, we observe that, because ye GP(q ) and 6e GF(q ), 

i i mod L 

Y q = Y q (22a) 



and 



i i mod M 

S q = 6 q (22b) 



where "i mod n" denotes the remainder when i is divided by n. Because 
gcd(L,M) = 1, the Chinese remainder theorem implies that (i mod L, 
i mod M) takes or. each pair (j,k) with 0 < j < L and 0 ■$ k < M exactly 
once as i ranges from 0 to LM-1. Thus (21) and (22) imply 



L-l M-l j k 
T LM (Y«) = I I Y q 6 Q 



k=0 



L-l j M-l k 

I Y q I & q 
j=0 k=0 
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which we recognize now from (19) to be the desired identity (20). 

The following result is proved in [3] and is a simple consequence of 

the fact that the degree of the minimum polynomial over GF(q) of y is 

at 

the least positive integer t such that y - y . 

Lemma 2 : If the minimum polynomials of 6 and y over GF(q) have degrees 
L and M, respectively, and gcd(L,M) = 1, then the minimum polynomial of 
By over GF(q) has degree LM. 

Now suppose that the characteristic polynomials c(x) and b(x) of the 
two LFSR's of Fig. 2 are irreducible, that a is a root of c(x) and y 
is a root of b(x), that 6 = has the same multiplicative order in 
GF(q^) as a, and that the degrees L and M satisfy gcd(L,M) = 1. Then 
the i-th input sequence w 1 to the adder forming z in Fig. 2 is given 
according to (18) by 

(w 1 ). = T L (AB" ie B j )T M (B Y "V), (23) 

L M 

where A and B are non-zero elements of GF(q ) and GF(q ) if, as we now 
assume, the initial states of the LFSR's are both non-zero. Using (20), 
we obtain 

(w 1 ) j = T LM (ABB _ie Y" i (6Y) J ). (24) 

It now follows from Lemma 2 and (11) that w 1 is a non-zero sequence 
produced by an LF3R with an irreducible characteristic polynomial of 
degree LM, and hence that the linear complexity of w 1 is 

A(w x ) = LM. (25) 

In fact, we see from (24) that each sequence w 1 is produced by this same 

LFSR of length LM and hence so also is their sum 
M 

z = I w 1 . (26) 
i = l ~ 

To show that 

A(a) o IM, (27) 

it remains only ~o show that z is not the all-zero sequence 0. Now (10), 
(24) and (26) shew that z = 0 only if 
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M M 
I (B e Y) X = I (ay) 1 = 0, 
i=l i=l 

where we have made use of (17), which would require ay to be the root 
of the polynomial x M_1 + x M ~ 2 + ... + x+1 over GF(q). But this cannot 
be the case since Lemma 2 shows that the minimum polynomial of ay over 
GP(q) has degree LM. We have thus proved our desired result, namely: 
Proposition 4 : When the two LPSR's in Pig. 2 have relatively prime 
lengths, irreducible connection polynomials and non-zero initial states, 
and when the speed factor d is relatively prime to the period T of the 
faster-shifting LFSR, then the output sequence z will have linear com- 
plexity LM as will also each of the input sequences to the adder that 
forms z in Fig. 2. 

6 . Remarks 

One could of course utilize the sequence z produced by the generator of 
Fig. 2 as the sequence "x" in another such "Fig. 2 generator", where 
the second LFSR would now be shifted at another speed factor d'. If this 
second LFSR has length N and gcd (LM,N ) - 1, we see from Proposition 4 
that we could obtain output sequences of linear complexity LMN. This 
process could be iterated as many times as desired. 

One could also modify the Fig. 2 generator by also shifting the upper 
LFSR at another speed factor d' . The analysis of such generators is an 
obvious modification of that presented in this paper. 

Finally, the reader may wonder why, in light of Proposition 4, one does 
not save hardware by using one of the w 1 sequences as the generator out- 
put since its linear complexity equals that of z. The answer is that 
the sequence w 1 may have a gross imbalance of O's to l's (when q = 2 ) 
and/or other short term "non-random" features. The intuitive argument 
of Section 3 that suggested the structure of the Fig. 2 generator also 
suggests that the short term statistics of z will be much more "random" 
than those of w 1 . It appears feasible to carry out an analysis to verify 
this suspicion, tut such an analysis is beyond our aim in this paper, 
which was to show the many interesting features that mulitple clocks can 
introduce in sequence generators. When such sequences generators are 
used for cryptographic purposes, the various speed factors can be put 
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under control of the secret key. Thus, such multiple-clocking gives 
an added "dimension" to secure sequence generator design. 
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THE STOP-AND-GO-GENERATOR 



T.Beth 
F.C. Piper 



1 . Introduction 

The usual method for generating binary sequences of acceptable proper- 
ties with respect to period-complexity and statistics is based on a 
deterministic finite boolean automaton 



INIT KEY 



Sequence 
Generator 



OUT 



which after having been initialized by the key on every clock impulse 

at time t outputs a bit u^ , t e M 
r t o 

The cryptographic value of such a sequence generator depends obviously 

on the complexity of this machine. Several concepts for its design 

are known. 

The best-understood-though not too desirable - finite state machine is 
a linear feed back shift register (cf. Selmer, Golomb, Jennings). 

In most practical applications socalled non-linear feedback machines are 
being used while their complexity, the socalled Zi.ne.aA. £.quJ.\ja.tZnt is 
described via the shortest linear recursion generating the same out- 
put sequence. Another concept of measuring complexity has recently been 
proposed by Micali et al . . 

The art of designing finite boolean automata of high complexity has 
naturally become one of the central topics of modern cryptography - 
expecially in the light of readily accessible VLSI-implementations. 
Examples of these have been described by Beker/Piper, Jennings, Beth. 
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A rather new concept of this kind seems to originate from the idea of a 
variable clock 

While the usual concept is based on a clock with timing diagram 

ck * 



0123456789 ... t 

diagram 1 

a variable clock has a timing diagram like 



0123456789 10 11 t 

diagram 2 

which could be produced from a usual clock (e.g. in diagram 1) AND-gated 
with a 0-1 -sequence (as in diagram 3) 



t 

diagram 3 

In a research project which has been initiated through a 
British Science and Engineering Research Council awarded 
authors in the year 1983, the theory and realisations of 
Stop-a.nd-Go-Gzne.'iatoM are being investigated. 



grant by the 
to the two 
these socalled 



2 . The Stop-and-Go-Generator 



The general Stop-and-Go-Generator is built from two feedback shift re- 
gisters (FSR) 

ick 



SR(B) 



and 



ick 



SR( A) 



( Vt cs 



(a t>t <l*J 
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where the outputs of SR(B) are driving the clock of SR(B) 
ck . 



SR(B) 



4=L 



SR( A) 



o 



The 



output-sequence (u fc ) t is the Stop-and-Go-Sequence of ( a t > t b Y ^t't' 



2.1 Observation 



With s(t) = wgt(b b ) = Z b. 

° j=o 3 



the bits are given by 



u t " a s(t) 



From this observation we immediately conclude the following 



2.2 Proposition 

Let n ^ resp. H ^ oe tne period of the sequence (a^)^ resp. (b^.)^ . 

w = wgt (b 1 , . . . ,b n ) 

be the number of 1 's in the full period of b^ . 
If (u),!!^ = 1 then the period of (u t ) t is 

n = Hi"H 2 

The condition of Prop. 2.2 is necessary as the following example shows. 



2 . 3 Example 

Let <a = ( a Q , a 1 , a 2 , a Q , a 1 , a2 , - . - ) be any sequence of period 3 . 

Let b the sequence with period (10101). 

Then the Stop-and-Go-Sequence of a by b is 

u = (a a a.a.a-a a a.a.a~...) 
— oo112oo112 
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of period 5 and not 15 ai we may expec-t. 
After determing the period we have to determine the linear equivalent. 
As we know from coding theory weight function wgt is non-trivial analyti- 
cally, we try another approach to describe the sequence u fc . 

2.4 Example : 

Obviously the following Boolean equations hold 

u = a (by definition) 

o o 2 

u 1 = b 1 a 1 + (1 - b l )a o 

u 2 = b 2 b 1 a 2 + (b 1 (1-b 2 ) + b 2 (1-b 1 ))a 1 
+ (1-b, )(1-b,)a n 

1 2. O 

In general we have 



2 . 5 Lemma 

For n £ H u £ BoolPol [b. , . . . ,b ;a ,... r a 1 

on i n o n 

is a Boolean Polynomial in 

b. ,...,b and a ,...,a with degree 6.(u ) = n 
1 ' ' n o n b n 

wrt. b 1 , . . . ,b n . 
From this we derive 



2.6 Lemma 

Let R fi denote the ring of Boolean polynomials 

R n = BoolPol[a o , . . . ,a n ] . 

Suppose the linear equivalent of (b ) is L(B) . Then u is the R- 

L ( B ) 

linear combination of att 2 -1 monomials in b . . . . ,b. . . 

o L— I 

With some special assumptions from this we can for instance derive the 



92 



2.7 Theorem 

If (a t ) t and (b t ) t are binary sequences which belong to linearly dis- 
joint field extensions then (u fc ) t has the linear equivalent 

L(U) = (2 L(B) -1 ) L( A) 

Of course the situation assumed in the theorem is the "nicest" general 
case. Other special cases are studied by Vogel , who considers the case of 
equal field extensions (cf . Vogel) and by Gollmann, who investigates cas- 
caded shift registers of e.qaa.Z pKLmz period. 

3 . Concluding remarks 

Under the correct assumptions cascading of primitive shift registers 
leads to interesting results. But from Gollmann 1 s work it is clear that 
general results on cascaded arbitrary shift registers cannot be expected. 

In order to guarantee a good statistical behaviour of the Stop-and-Go- 
Sequence it is suggested that the output sequence u fc is finally XOR-ga- 
ted with another PN-sequence. 

The statistical behaviour of (u t > t itself - though theoretically quite 
good in special cases - is so that a cryptoanalytic attackwould be pro- 
mising in spite of the extremely high linear equivalent of the sequence. 
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PSEUDO RANDOM PROPERTIES OF 
CASCADE CONNECTIONS OF CLOCK CONTROLLED SHIFT REGISTERS 



Dieter Gollmann 



Institut fur Systemwissenschaften 
Johannes Kepler Universitat Linz , Austria 



Abstract . Shift registers are frequently used in generators of pseudo random 
sequences (see [1 ]) . We will examine how cascade connections of clock controlled 
shift registers perform when used as generators of pseudo random sequences. 
We will derive results for the period, for the linear recursion and for the 



1 . Introduction . 

Cascade connections of clock controlled shift registers are a generalization of 
the idea of a "clock controlled automaton". Clock controlled automata were examined 
by P.Nyffeler [4] . A clock controlled shift register switches to its next state 
when input "one" is sent to its clock and remains unchanged when input "zero" is 
applied. We connect these clock controlled shift registers to a cascade connection 
as follows. The input to the cascade connection is sent to the clock of the first 
register. The input to the clock of the i-th register, i£2 , is the sum (modulo 2) 
of the input to the clock of the (i-l)-th register and the output of the (i-l)-th 
register. Likewise the output of the cascade connection is the sum of the input 
to the clock of the last register and of the output of the last register (see 
also [2]). 



pseudo-randomness of their output sequences. 




1 0 1 



0 0 1 



U 



4> 



1 1 o 



Fig.l. A cascade connection of clock controlled shift registers. 
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All shift registers in the cascade connection shall be of the same length p, 
p>2 prime. Furthermore we exclude shift registers with the initial states 
"all zero" or "all one". We will examine output sequences generated by the 
input sequence 111 . 

2. Results . 

2.1. Periods of the output sequences. 

Regard a cascade connection of n clock controlled shift registers of length p. 
Obviously any state trajectory - and therefore any output sequence - of this 
cascade connection has at most period p n . We are able to prove 

Theorem 1 : Any output sequence of any cascade connection of n clock controlled 
shift registers of length p, p>2 prime, has period p n . 

Proof: Let k^ denote the number of ones in the output sequence of a cascade 
connection of i shift registers during the period p 1 . 

First we prove that any state trajectory of any cascade connection of n shift 
registers has period p n . 

This is obviously true for n=1 as the initial state of the shift register is 
non-trivial. With the same argument we get gcd(k l ,p)=1. 
Now assume that any state trajectory of any cascade connection of n shift 
registers has period p n and that gcd{k n ,p)=1. 

The period of a state trajectory of a cascade connection of n+1 shift registers 
has to be a multiple of p n and the number of ones sent to the last register 
during this period has to be a multiple of p. So we have m * k n = n-p for 

some natural numbers m,n. From gcd(k ,p}=1 we get m=p, the period of any 

n n+1 
state trajectory of any cascade connection of n+1 shift registers is p 

Let d denote the number of ones stored in the last register. We have 

k n+1 = d( P n - k n } + ( ^ )k n = p(p n " 1 d + k n ) - 2dk R 

and gcdtk^ ,p)=1 follows from gcd(k n ,p)=gcd(d,p)=1 and p>2. 

Finally the period of any output sequence of any cascade connection of n shift 
registers has to divide the period of the corresponding state trajectory. As 
gcd(k n ,p)=1 this period has to be p n . 
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2.2. Linear recursion. 

We introduce some further notations. 

Let (q . . , . . ,q . ) denote the initial state of the i-th register of seme 
cascade connection of clock controlled shift registers. 

Let f . , denote the characteristical polynomial of the sequence q. .. , 
l£m£p , where the indices 1+mk^are computed modulo p. 

Then the property "p 2 does not divide 2p~^-V is sufficient to prove that 

the characteristical polynomial f of the output sequence generated by the 

given initial state can be computed by 

n i-l 
Theorem 2 : f(x) = (1-x) n f. (x^ p ') . 

i=1 1 ' K i-| 

For the proof of this theorem see [ 3 ] . 

It is important to note that the linear recursion depends on the initial 
states of the shift registers in the cascade connection. 

2 D-1 

"p does not divide 2^ -1" is no severe restriction as p=1093 is the first 
prime number to violate this condition. 

Theorem 2 generalizes P.Nyffeler's result for the linear recursion of clock 
controlled automata [ 4 ] . 

For prime numbers p with C (x) = Ex irreducible over GF(2) we can deduce 

P i=0 

Theorem 3: f (x) = 1 - x p . 



2.3. Pseudo- randomness. 

Consider a sequence £:= ( (R^ ,<j^) } j^j^j of registers with initial states q^. 
The 2^x2^-11^^1063 T(k;l):= (tCkpD^^) give the relative frequencies of the 
transformations of the sequences of length k caused by the cascade connection 
of the registers r (1 _t )k+1 / • • • /R^- 

Lemma 1 : For any natural number k any cascade connection of k shift registers 
can transform any input sequence x^ . .x^ to any given output sequence y-j - -Y^. • 

Corollary : Vk,}£N,Vi, j=1 , . . ,2 k ( t (k;l) i;j 2 ^ ). 
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Proof of Lenta 1 : This lenma is true for k=1 as the initial states of all 
shift registers are non-trivial. 

We new assume that the lemma holds for some given number k. 

Consider an arbitrary input sequence Xq. .x^ , an arbitrary output sequence 

y Q . .y^ and an arbitrary cascade connection of k+1 shift registers. 

yQ=0: We set register k+1 to the initial state 1..0 (the zero is at the 

output of the register) . This initial state transforms seme sequence 

Let g be the state of the first k registers that transforms x^.x^ 
t° Y^-y^. • Furthermore there exists a state 6 1 (cI/Xq) that is trans- 
formed by Xq to q. 

If input Xq and initial state 6 1 (^'Xq) yield output zero the initial 
state of the last register shall be 1 . .0, otherwise . .01 . 
Now Xq. .x^ is transformed to y Q . .y^ . 
y Q =1: We start with the last register in the initial state 0..1 and proceed 
as above. 

_1 

If input Xq and initial state 6 (q/X^) yield output zero the initial 
state of the last register shall be 0. .1, otherwise ..10 . 

v 

The corollary follows from the fact that p is the period of any state tra- 
jectory of any cascade connection of k shift registers of length p. 

q.e.d. 



T(k;l) is a primitive stochastic matrix for all k,3£N. We can make use of 
the following lemma. 

Lenma 2 : Let T be a stochastic matrix of dimension nxn with X:= minp. . >0 . 

n i,j 13 

Let d be a n-vector with dy*0 , E d. = 0. Wa define 

i=1 1 

* n n * 

d := Td , A : = L |d | , A := Z |d. | . 

U i=1 i=1 1 



We 



get: A 1 £ (1 -nX)A D 



The proof of Lemma 2 is similiar to the proof of Lenma 4.1. in [5]. 
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Theorem 4 : With Lemma 1 and Lema 2 we get for the matrices T(k;l) 

|| n T(k;l)A|| S (1 - (|) k ) n ||A|| for all i£N. 
1=1 P 



A gives the difference between the initial distribution of the 

-k -k t 

input sequences of length k and the vector (2 ,..,2 ) (i.e. 
equal distribution of the sequences of length k) . 



Let rf^y^-.y^) denote the relative frequency of the sequence y^.y^ in the 
output sequence of some cascade connection of n shift registers during the 
period p n . From Theorem 4 we get 

Urn rf n (y 1 ..y k ) = 2 

n— <= 

We extend this result to the information entropy 

(y r .y k )=(o..o) 
lim H^n) = k . 



Wien we increase the length of a cascade connection the relative frequencies 
of the word of length k converge towards equal distribution for any number k, 
the entropy converges towards its maximum. 

Remark . The sequence of matrices (Ttk;!)).^ constitutes an inhomogenous 
Markov chain where the matrices T(k;l) can be taken only from a finite set. 
Markov chains of this kind have been studied by J.Wblfowitz already in 1963 
(see [6]). 

2 k 

The rate of convergence (1 - (— ) ) given in Theorem 4 cannot be improved for 
k=1 . If a shift register of length p contains only a single one we get 
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3. Conclusion . 

We build a cascade connection from clock controlled shift registers of equal 

length p, p>2 prime, where no shift register is in a trivial initial state. 

Any output sequence of such a cascade connection has period p n (i.e. maximal 

period) , the linear recursion of any output sequence can be computed directly 

2 

from the initial states of the shift registers (except for the case "p divides 
2^-1") . For suitable prime numbers p we have linear recursion of length p n 
independent of the initial states. 

The sequences of length k occur in the output sequence of a cascade connection 
with relative frequencies converging towards equal distribution when we in- 
crease the length of the cascade connection. This holds for all numbers k. 
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On ir.a linear complexity of cascaded sequences 
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In the papers ^lJTsl Kjeldsan derived very interesting properties 
of cascade coupled sequence generators. For applications in ciphering 
we are interested to know the linear complexity of such sequences. In 
the following we first consider the examples 1 and 2. 

Example 1 



-0- 



SRG 1 



m 



CLOCK 



O- 



r 

L-J 



SRG 2 



m 



4> 



(C k ) 



This sequence-generator works as follows: 

Shi reregister 1 (SRG 1) is shifted with every clock. If the output of 
this register is 1 shi ftrsgister 2 (SRG 2) is shifted and the generated 
biz of SR 2 is used for c. k . 
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If shiftregister 1 generates a 0 shiftregister 2 will not be shifted 
and the output of the generator is 0. 

If we denote the sequence from shiftregister 1 with (a^), the sequence 
from shiftregister 2 with (bjj, the sequence (c^,) at the output can be 
computed in the following way 



c k = a k " b G(k) 



keN 



witn 



G (o) = 0 



G (k) = Z_ 
i<k 



a. 



keN 



(The last sum denotes a usual addition) 



Example 2 



— -O- 



i 

i 



SRG1 



m 



-o CLOCK 



— O- T 



SRG 2 



m 



6(k) 
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If we are only interested to generate the sequence bg^, we use tne 
generator of example 2. This structure works in the following manner: 
Generates shiftregister 1 an 1 the register SRG 2 is shifted and the 
output of SRG 2 is used for the output of the generator. Otherwise SRG 2 
is not shifted and the previous generated bit of SRG 2 is used as output 
bit. 

Later we give further examples. To get some answers about the linear 
complexity, we begin with example 2. For if we have derived the minimal 
polyncm g(x) of the sequence (bg^), we can use known theorems (eg. 
2ierler[^3]] ). Therefore we get for the minimal polynom h(x) of the 
sequence (c k ) 

h(x) | f x v g. 

f 1 v g is the polynom with the zeros <=<-• b, oczero of fi(x), e zero of 
g(x). 

fj v g is also denoted Hadamard product of and g. 

But first we still remember some properties of the sequences generated 
by the generator of example 1. More general formulations and proofs are 
in the papers [lj , [2] . 

1. If the number of l's computed over the period of (a^) is relatively 

prime to the period of the sequence (bj,) then for the minimal period p 
of (c k ) holds the equation 

P = PI • P2- 

This conditions are always satisfied if the feedback polynoms of the 
shiftregister are primitive polynoms with the degree m. In this case 
we have then 
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2. The asumptions of the previous number are satisfied. Let w i (p.j) 
i = 1,2 the weight of (a k ) resp. (b k ) computed over the period Pi 
resp. p 2 » then for the frequency w of the l's in (c k ) it holds 

2 »i ( Pi ) 



w = 



If (a k ) and (b k ) are PN-sequences with the period 2 m -l, we have 



2 2 m-l l 



w = | | 2 m_ 1 = 7 • 
i=l 



General asumption for the rest of the paper: All feedbacks are 
primitive polynoms. 

These last two results can be generalized on cascades with more than 
two stages. Further in the papers [2~\ are results on the autocor- 
relation properties of such sequences. 

Computation of the linear complexity of the sequence ( D Q(k)) - 

All following proofs are based on a theorem, which we found in a very 
old book on algebra of Dickson [2] . (1900) In a slightly reformulation 
it says: 

Theorem 



fl(x)> •'• f N^ x ) be the set of a11 irreducible polynoms of degree m 

and exponent e 

e = (2 m - l)/cL 
XeN be a number with the properties 

(i) (x, d) = 1 

(ii) All prime divisors of x are prime divisors of 2 m -l, 
then holds 

a) x • m is the least number with the property x • el 2 x ' m - 1. 
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b) The polynoms fj (x X ), ... (x*) are irreducible of degree m • x 
and exponent x • e and the set f]_ (x X ), ... f {< (x X ) consists of 
all polynoms with these properties. 

Proof £4, page 22^ 

In the special case 

e = x = 2 m -l 

d = 1 we get 

a) m • (2 m -1) = min £ k: (2 m -I) 2 1 2 k -l ) 

? m -1 ? m -1 

b) The set fj_ {x c x ), ... f N (x* x ) 

is the set of all polynoms of degree m-(2 m -1) with the exponent 
(2 m -l) 2 . 

With the help of this theorem we examine the sequence (bg^j) and 
prove 

2 m -1 

f 2 (x ) is the minimal polyhom of (Dq^)- 



Proof 

(a^) -if ». f^ (x) 1 primitive polynoms 

(b^) « ». ( x ) J °f degree m 

With p: = 2 m -1 the sum G(k) has the properties 
G (k + n • p) = G(k) + n • G(p) 
G (p) = 2 1 "- 1 

Using the operator f (E^) corresponding to *the polynom f (x^), we get 
(E is the shift operator) 
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f 2 ( E? ) b G(k) = H C i ' b G(k + i.p) 



i = o 



■ I 



1=0 



■ z 



C i " b G(k)+i-G(p) 



C i - b G(k)+1-2 m - 1 



1 = o 



m 



(k':=G(k) ) = J_ C i • b k , +i . 2 m-l 



1=0 



~m-l 
f 2 (E 2 )b R . 

9 m-l 

(f a (E) f b k , = 0 



With the theorem we now get 
om-l 

1. (x ) is the minimal polynom of the sequence (bg^), because 
the polynom is irreducible. 

Thus the linear complexity of (bg^j) is m • (2 m -1). 

2. The sequence (bg ^) has the minimum period (2 -1) , because the 
exponent of f 2 (x 2m_1 ) is (2 m -l) 2 . 
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Rema rks 

1. With two cascaded shi ftregisters of length 61 the linear complexity 
of ( 

b G(k)) has the value 
K = 1.4 • 10 20 . 

2. If the cascade consists of n registers of length m, we get 
linear complexity = m • (2 m -l)"" 1 Period = (2 m -1) 

3. It is possible to replace shi ftregister 1 through a nonlinear shift- 
register which generates a de Bruijn sequence. In this case it is 
still possible to give a lower bound for the linear complexity. 

Lower bound for the linear complexity in Example 1 

From previous considerations we see: The minimal polynom h(x) of 

the sequence (c^) = (a^ • is a divisor of the 

2m- 1 

polynom f^x) v f 2 (x ). 

But what about the degree of h(x)? The period (2 m -l) 2 of the sequence 
(c^) is an odd number. The irreducible components of h(x) have the 
power = 1. If we write the sequence (c^) with the zeros of h (x) there 
must be zeros of order (2 m -l) 2 . The degree of each irreducible compo- 
nent with such a zero is equal m(2 n -1). For the degree of h(x) we get 
therefore the lower bound deg h(x) > m • (2 m -1). 

It is only possible to get lower bounds, but this is sufficient 
for the applications. 
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Example 3 




T 

The sequences of example 1 have bad pseudo-noise properties, because 
the frequency of l's at the output is only 1/4. To remove this defect 
we add (mod 2) another linear shiftregister sequence to the sequence 
(c^). If we assume (m,n) = 1 the following Lemma shows that the resulting 
sequence has better pseudo-noise properties. 

Lemma [ 1 ~] 

The periods of the sequences (a^) und (b k ) are relatively prime. Each 
iii-tuple of weight w occurs with the frequency f* (l-f) ra-w in (a, ) and 

WW 

with the frequency g (1-g) in (b^). Then each m-tuple of the weight 
w in the sequence (a k + b^) occurs with frequency 

h w (1-h) m_w with 

hef+g-2f - g. 
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If the sequence of SRG 3 is a PN-sequence of period (2 n -1) (ra,n) = 1) 
in the output sequence each m- tuple of weight w has thus the frequency 




For the linear complexity K of the output we have K > m -(2 -1). 



Example 4 
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This example shows how a repetition of the method of example 1 leads 
to sequences of very high complexity. If we assume that all feedback 
polynoms are primitive polynoms, it is possible to proof that in each 
stage the number of l's is relatively prime to 2 m -I. The output se- 
quence of this structure has the least period (2 m -l) 3 . (2 ni -1) • 
(2 n 2 -1) if all the starting vektors of all registers are not equal 0. 

As an example for the estimation of the linear complexity we examine 
the sequence (c k ) with the minimum period (2 m -l) 3 . (2 n l -1). 




We can represent this sequence with the zeros of its minimal polynom 
h(x). Two cases are possible. 

Case 1 

h(x) has zeros of order p 3 . q. With the help of the Theorem it is 

easy to show that each irreducible component with such a zero has the 

degree m (2 m -l) 2 . n v 

Case 2 

3 

There are no zeros of order p • q. 

3 

But in this case exists zeros of order p of the polynom h(x). Again 
with the Theorem we get: The irreducible component that contains such 
a zero has the degree m -(2 m -l) 2 . 

Both cases yields for the linear complexity K 
K > m • (2 m -l) 2 . 

From these considerations we can recognize that it is possible to gene- 
rate sequences with very high complexities with such cascades. 
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1 . Introduction 

The most interesting feature of modern cryptography is the 
interaction of arguments from complexity theory, information 
theory and number theory. As a result of this interaction 
the cryptographic security of simple pseudo random number 
generators has been based on reasonable number theoretic 
assumptions, see M. Blum, S. Micali (1 982) and A. Yao (1982). 
The bit security of the RSA-scheme plays an important role in 
this context. If the problem of deciphering the RSA -cipher- 
texts can be reduced to the problem of getting partial infor- 
mation on single cleartext bits then an interesting situation 
arises. Either it is easy to decipher RSA-cipher texts com- 
pletely (in worst case without knowing the private key) or 
it is infeasible to get even partial information on single 
RSA-cleartext bits and in this latter case the RSA-encryption 
provides a simple cryptographically secure pseudo random 
number generator. 

The bit security of the RSA-scheme was first studied by Goldwas 
Micali, Tong (1982). They showed that obtaining the least 
significant bit of an RSA-message is as hard as obtaining 
the entire message. Formally they proved that any oracle 
which queried on an RSA-ciphertext outputs the least sig- 
nificant bit of the corresponding message, can be used to 
decrypt RSA efficiently. Ben-Or, Chor and Shamir (1983) 
proved that the two least significant RSA bits are 3/4+e- 
secure, i.e. any oracle for these bits which is correct for 
an 3/4 + e-f raction of the ciphertexts can be used to decrypt 
RSA efficiently. They also showed that certain other bits are 
1 5/ 1 6+£-secure . The problem remained whether RSA-bits are 
1 /2+e-secure . This would imply that RSA-bits yield a crypto- 
graphically secure pseudo random number generator. With some 
novel sampling techniques U.V. and V.V. Vazirani (1983) 
proved that the least significant RSA bits are 0.732+e 
secure . 
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In this paper we finally prove that the least significant 

RSA-bits are 0.5+e-secure. More formally any oracle which 

correctly predicts the k-th least significant RSA-bit for 

at least a 0. 5+£-f raction of all messages can be used to 

-2 

decipher all RSA ciphertexts in time (logn) 0 ' £ + ^ . 
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2. The binary gcd-method for deciphering the RSA-scheme 

For an integer n > 1 let 2* = {x mod n I x 6 TL , gcd (x,n) = 1 } 

be the multiplicative group of integers modulo n which are 

relatively prime to n. The elements of will be represented 

by the integers x with 0 < x < n , gcd(x,n) = 1 . Let lMx) 

be the i-th least significant bit of x , i.e. x = I 1. (x)2 1 

i>1 

with 0 < x < n . Call x € 7L* even if l,(x) = 0 . Note that 

n i 

2x may be odd; this happens iff n/2 < x < n with n odd. 
Throughout the paper n will be odd. Let E : x — *■ x be an 
RSA encryption function and let & be an oracle which given 
E(a) determines l^ta) the least significant bit of a . 

Theorem 1 [Ben-Or, Chor, Shamir] There is a random polynomial 
time algorithm which queries the oracle 0* at most 0(log 2 n) 
times and with probability _> 1/2 deciphers E(x). 

* 

The deciphering algorithm computes b £ 7L^ such that 

E(xb) = 1 mod n and x := b 1 mod n . A particular version 

of the binary gcd-algorithm computes b from randomly chosen 

elements b 1 , b 2 with xb^ xb 2 < n/2. The oracle' is used for 

testing "xb, < xb_?" and "xb . even?". In fact 
12 l 

xb 1 < xb 2 » 0"£ (2x (b 1 ~b 2 ) ) = 0 ; xb ± even »D'E(xb i ) = 0 . 

An important observation is that oracle queries on large 
elements 2x(b 1 ~b 2 ) can be avoided. In section 3 we show that 
oracle queries on small elements can be answered correctly 
even if the oracle has error probability 0.5-e. 
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Algorithm 1 (the new deciphering algorithm) 

* 

1. pick random elements b,,b, € TL with b.x odd and 
v 1 2 n l 

b x < 2" k n for i = 1,2 ; := c 2 := 2~ k ; 

2. r1 if c 1 > c 2 
i := 1 

L 2 if c 2 > c 1 

b ± := (b 1 +b 2 )/2 mod n ; c i := (c +c 2 )/2 ; 

3. if xb i = 1 mod n then [x := b^ 1 mod n, stop] ; 
if xb 1 = xb 2 then stop (failure) ; 

if xb^ is odd then goto 2 ; 

4 . while xb^ even do [b^ : = b^/2 mod n, c^ : = c^/2 ] ; 
goto 2; 



The values do not increase. An easy induction shows that 
xb^ < c^n throughout the computation. Since c^ , c 2 cannot 
become smaller than 1/n, the oracle is queried at most 4 log 2 n 
times in step 4 . Since each pass of step 2 halves the 
difference (b^-b.,) there are at most log 2 n consecutive passes 
of step 2. This proves 



Lemma 2 In the new deciphering algorithm all oracle queries 

-k 

are on elements bx < 2 n . The oracle is queried at most 
4 log 2 n txmes . 
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3. The 0 . 5+e-security of the least significant RSA-bit 

Now consider the case that the oracle makes errors. 

Let 0* be an oracle which has an 1 /2+e-advantage in pre- 
dicting the least significant bit, i.e. 

#{x £ 2Z* : [E(x) ] = 1, (x) } / # 2Z* > 1/2 + e . 
n e 1 n 

We will exploit the relation (let 9 be the exclusive or) 

l^a + b) = 1 1 (a) © l^b) , for a,b£Z* 
which holds provided that a + b does not overlap n . 
Suppose we like to decipher E(x) and 

we already know some b with xb < en/ 2 . Then we need to 
know 1^ (xb) . We show that knowledge of 1^ (xr) for a random 
element r £ E* helps determing 1^ (xb) : 

Fact 3 Let r € 7L* be a random element. Then for all bx£ 
n 

7L* with bx < en/ 2 
n 

prob[er £ [E( (r+b)x) ] © 1., (rx) = ^ (bx) ] > (1+e)/2 . 

Proof "S^tEt (b + r)x) ] ffi 1 (rx) = 1 (bx) " holds if 
& [E ( (b + r) x) ] = 1^ ( (b + r) x) and if bx + rx does not over- 
lap n . Since bx < en/ 2 , overlap over n occurs with 
probability < e/2 . Moreover 

prob[er [E( (b + r)x) ] = 1 ( (b + r)x) ] > 1/2 +e 

1 Q.E.D. 

By a majority decision we can determine 1^ (bx) for bx < en with 
arbitrary high security provided that we know 1^ (r^x) for 
sufficiently many independent elements r. 6 Z* : 
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Lemma 4 Let , . . . , r fc € 22* , t odd, be independent random 

elements. Then for all x, b £ ZZ* with xb < en/2 , e < 1/4 

n — 

the event "1 1 (xb) * f| z£ [E (x (b + r..) ) J © 1 (xr ± )J" 

has probability < 2exp(-te 2 /3) ([aj denotes the nearest 
integer to a) . 



Proof We use the following version of the law of large 
numbers, see e.g. Renyi VII, §4, theorem 1: 

Let X^ , . . . ,X fc be independent random variables with mean 
value m and variance d , IX^-ml < K . Then 



prob I^ =1 X/- m| > yd/v't 
for all v < dVt/K . 



< 2 exp 



-v 



We apply the theorem to 

X.. = er £ [Efxtb+r^ ) ] © l^xr..) © l^xb) 

Clearly X. = 1 iff er [E (x (b+r . ) ) ] © l i (xr . ) * 1. (xb) . 
i e i ill 

We know from Fact 3 that m < (1-e)/2 . e < 1/4 implies 

K = 5/8, 2 < 1/d < (2 1 • |)~ 1 < 2.14 . 

If "l^xb) * f^^., e^lEtxtb + r ± )) ] © 1 1 (xr ± ) J" then 

|lrj =1 X.-m| > e /2 . 

By the law of large numbers with y = V"te/(2d) the latter 
event has probability < 



2 exp 



-t e 2 / (4d 2 ) 



2(1 + 



eK . 2 



(2d) 



< 2 exp [-t e /3] . 



Q.E.D. 
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Corollary 5 Let bx £ 2Z* , bx < cn/2 , e < 1/4 and let 
* 

r^,... r r t € Z n be independent random elements, 

t > 3e~ 2 log(2s) . Then prob[l 1 (bx) * Z* = 0 £ [E ( (r^+b) x) ] e 

© 1 1 (rx) J < 1/s . 

Proof By Lemma 4 the event in question has probability 

2 -2 
<_ 2 exp[-t e /3] . Thus it is sufficient to choose t _> 3e log 

t > 3e~ 2 log (2s). Q-E-D _ 

A key observation is that once we have guessed 1^ (r^x) for 

* 

sufficiently many random elements r £2 n then we can 
determine with sufficiently high security 1 (bx) for any 
bx < en/2 . 



-2 

Theorem 6 There is a random (log n)°' £ '-time algorithm 
using oracle 0 £ that inverts the encryption function E(x). 



Proof In order to decipher E(x) do the following. 

* 

1. pick random elements r„,...,r.£E , (t will be determined 

i t n 

below) . 

* 

2. guess b_ ,b~ £ 2Z with b.x < en/2 for i=1,2. 

i z n i — 

3. guess 1^ (r^x) for i = 1 , . . . ,t . 

4. simulate the binary gcd deciphering method but stop after 

2 

at most 4 log-, n oracle queries. For each oracle query 
compute 1 1 (xb) := ["-£ I^T 0 [E( (r +b)x) ] © 1 (r^) J . 



The algorithm succeeds if all the query answers are correct 
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and if the binary gcd method succeeds with initial values 

2 

b^b^ By Lemma 2 the oracle is queried at most 4 log 2 n times. 

-3 

By Corollary 5 for t := [3e log (2s)] each query answer 

2 

has error probability <_ 1/s. Choose s := 8 log 2 n , then with 
probability _> 1/2 all query answers are correct. It is im- 
portant for our argument that r.j,...,r are independent of 
all intermediate elements bx occuring in the binary gcd method 
with initial values h^,h^. Guessing ,b 2 and 1^ (r^x) for 

i = 1,...,t can be done within 2 t £~ 2 = (logn) 0 * 6 * trials. 

-2 

Therefore E(x) can be deciphered in (logn) 0 ' 8 " * steps. 

Q.E.D. 
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4 . The security of other RSA-bits 



Consider l^x) the i-th least significant bit of x £ 2Z* , 
i.e. x = l^x) 2 1 1 for x with 0 < x < n . We note 

that for small elements a £ E* we can express 1^ (a) by 
l k (2 k ~ 1 a) . In fact 

(*) 1 1 (a) = l k (2 k " 1 a) for all a < 2 -k+1 n . 

Let 0^ k be any oracle which for given E(a) determines 

l^ta). By (*) we can implement the binary gcd deciphering 

method using & , provided we guess two initial values b. 
-k 

with b^x < 2 n . This proves 

Theorem 6 For every k there is a random (2 k log n) 0 ' 1 ' -time 
algorithm using the oracle & . which inverts the encryption 
function E(x) . 



Now suppose that & , makes errors. Let 0" , be any oracle 
that has e-advantage in predicting the k-th least significant 
bit l]^ 3 ^ °f x ' m °re formally: 

#{x £E* : 0* k [E(x) ] = l k (x) }/#ZZ* > 1/2 + E . 

We implement the binary gcd deciphering method with oracle 
S' , as follows: 

1. pick random elements r^ , . . . ,r fc £ 2Z* , t = f 3 (4 + log log n) e 1. 

2. guess l^r^x) for i = 1,...,t . 

_v 

3. guess elements such that xb. < e 2 n for i = 1 ,2 . 

4. simulate the binary gcd deciphering method as follows. For 

-k 

each query on xb < z2 n put 
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l^xb) := [1 tf £fk [E(x<2 k "" 1 b + r^M ® l k <xr.)J 

and stop after at most 4 log 2 n queries. 

We have 1 1 (xb), = l k (x2 k-1 b) = l k (x (2 k_1 b+r i ) ) ® l k (xr ± ) 
k— 1 

provided that x2 b + xr^ does not overlap n. Since 
-k 

bx < e2 n overlap over n occurs with probability < e/2 . 
Therefore 

1 1 (xb) = ©' e ^ k [E(x(2 k ~ 1 b + r ± ) ) ] © l k (xr ± ) 

occurs with probability > (1 + e)/2 . By the law of large 
numbers each oracle query has error probability 
< 2 exp[-t£ 2 /3] < 1/(27 log n) for e < 1/4 . Hence with 
probability > 1/2 all query answers are correct. 

The algorithm succeeds if all query answers are correct and 

if gcd(xb 1 /Xb 2 ) = 1 . Guessing such elements ,b 2 with 
-k 

xb^ < e2 n and guessing Ij^Cxr^) for i = 1,...,t can be done by 

-2 

e -2 2 2k 2 t = (logn) °(e ) 2 2k trials. This proves 

-2 

0(£ +k) 

Theorem 7 For every k there is a random (logn) -time 
algorithm using oracle 9 , which inverts the encryption 

£ i K 

function E(x) . 
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5. Efficient deciphering with random oracles 

-2 

The previous time bound (logn)°' £ can be considerably 

improved if the oracle Cr. k has no particular structure. 
We will prove that almost all oracles O" , can be used to 

invert the encryption function E(x) in random time 

r -1 , .k,0(1) 
[ e log n 2 ] . 

For fixed k we define a probability distribution on the set 
of all 0-1 valued oracles &" . Oracle ©" has probability 
weight <0.5 + e) s (0. 5 - e ) v (n) " s with 

s = #ly£ 2* I <r[E(y)] = 1, (y)} , ip(n) = #71 . Let OR . be 
n jc n 1. 1 a. 

a random oracle with respect to this distribution, i.e. 

* 

WR g k [E(y)] , for y £Z n , are 0,1-valued, independent random 
elements with prob[CTR £ k tE(y)] = l k <y) 1 = 0.5 + e . We im- 
plement the binary gcd deciphering method with oracle ecR e:/ ] c 
as follows. 

1. for t := [ 3 (4 + log log n) e ] guess a random element r 
with rx < n/ (2t) and rx = 0 mod 2 . 

2. guess elements b^,b2 such that b^x < 2 n for i = 1/2. 

3. simulate the binary gcd deciphering method; for each query 

-k. 

on xb < 2 n put 

l T (xb) := ^i = 1 CrR efk [E(x(2 k ~ 1 b + ir) ) ]J 
and stop after at most 4 log 2 n queries. 

If rx < n/(2t) and rx = 0 mod 2 then l k <irx) = 0 and 

irx = 0 mod 2 k for i<t . If xb < 2~ k n then l k <*b) = 1 1 (x2 k ~ 1 b) . 
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-k 

Hence for all xb < 2 n : 

prob[crR E(k [E(x(2 k " 1 b + ir) ) ] = 1 1 (xb) ] = 0.5 + e . 

By the law of large numbers each query answer has error 

2 

probability < 2 exp(-e t/3) < 1/ (27 log n) (This means that 
the fraction of oracles Q* which in step 3 give a wrong 

2 

value 1^ (xb) for a particular query, is at most 2exp(-e t/3) ; 
this fraction is exponentially small for large t) . With 
probability > 1/2 all 4 log- n query answers with OR , are 
correct. Hence the algorithm using oracle OR . succeeds 

£ , K 

with probability > 1/2 if b 1( b 2 »r have been guessed as 
specified. 



Guessing r and b^, can be done (with probability > 1/2) 

with 2 2t 2 = 0(2 e ^ log log n) trials. Thus E(x) can 

3k -2 4 

be deciphered (with probability > 1/2) in 0(2 e (logn) ) 
bit operations, ((logn)^ bounds the number of bit operations 
for evaluating E(y)). Thus we have proved 

Theorem 8 For every k there is a random [e ^ log n 2 k ]° ^ 1 ^ -time 
algorithm using oracle 0*R , which inverts the encryption 
function E(x) . 



It clearly follows that the time bound of theorem 8 holds for 
all but a negligible fraction of oracles 0" , which have 
an £ - advantage in predicting 1^ . It is an open problem 
whether the time bound [e ^ log n 2^]°^' can be obtained 
for all oracles C_ , . 



126 



References : 



M. Ben-Or, B. Chor, A. Shamir, On the Cryptographic Security 
of Single RSA Bits, Proc. STOC 1983, 421-430 

L. Blum, M. Blum, M. Snub, A Simple Secure Pseudo-Random 
Number Generator. Crypto 1982 

M. Blum & S. Micali, How to Generate Cryptographically Strong 
Sequences of Pseudo-Random Bits, Proc. FOCS 1982, 112-117. 

S. Goldwasser, S. Micali, P. Tong, Why and How to Establish a 
Private Code on a Public Network, Proc. FOCS 1982, 134-144. 

M. Rabin, Digital Signatures and Public Key Functions as 
Intractable as Factorization, MIT/LCS/TR-21 2, Technical 
Report, MIT, 1979. 

A. Renyi, Wahrscheinlichkeitsrechnung 

VEB Deutscher Verlag der Wissenschaf ten Berlin 1966. 

R. Rivest, A. Shamir & L. Adelman, A Method of Obtaining Digital 
Signatures and Public Key Cryptosystems , CACM, February 1978. 

A. Shamir, On the generation of Cryptographically Strong Pseudo- 
Random Sequences, 1981 ICALP. 

A. Yao, Theory and Applications of Trapdoor Functions, proc. 
FOCS 1982, 80-91 

U. V. and V. V. Vazirani, RSA bits are .732 +e secure. 
TR U. Berkeley and Harvard University 1983. 



On the Number of CIose-and-Equal Pairs of Bits in a String 
(with Implications on the Security of RSA's L.S.B) 

(Extended Abstract) 

Oded Goldreich 
Laboratory for Computer Science 
MIT.room NE43-836,Cambridge,MA 02139 



Abstract 

We consider the following problem: Let s be a n-bit string with m ones and n — m 
zeros. Denote by CEt{s) the number of pairs, of equal bits which are within distance 
t apart, in the string s. What is the minimum value of CEt{-), when the minimum is 
taken over all n-bit strings which consists of m ones and n — m zeros? 

We prove a (reasonably) tight lower bound for this combinatorial problem. 

Implications, on the cryptographic security of the least significant bit of a message 
encrypted by the RSA scheme, follow. E.g. under the assumption that the RSA is 
unbreakable; there exist no probabilistic polynomial- time algorithm which guesses the 
least significant bit of a message (correctly) with probability at least 0.725 , when 
given the encryption of the message using the RSA. This is the best result known 
concerning the security of RSA's least significant bit. 
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1. Introduction 

This paper combines a combinatorial study with the application of its results to 
the analysis of a cryptological question. (The combinatorial problem is fully defined 
and solved in Sec. 2.) 

1.1. Cryptological Background 

The importance of the notion of "partial information" to cryptographic research 
has gained wide recognition through the pioneering works of Blum and Micali [BM] and 
Goldwasser and Micali [GMj. In this paper we consider a much more specific question: 
the cryptographical security of the least significant bit of a message encrypted by the 
RSA scheme (hereafter referred to as RSA's l.s.b) . 

The RSA encryption scheme was presented by Rivest, Shamir and Adleman [RSA]. 
It is the best known implementation of the notion of a Public Key Cryptosystem, 
which was suggested by Diffie and Hellman [DH]. Encryption using the RSA is done by 
raizing the message to a known exponent, e, and reducing the result modulo a known 
composite number, N, the factorization 1 of which is kept secret. The inverse of e in 
the multiplicative group ' s used for decryption and is kept secret. It is widely 

believed that the RSA is hard to break. This means that an adversary who does not 
know the secret (e _1 mod <p(N)) will not be able to compute the message from its 
encryption (i.e. to invert the encryption function). 

However, even under this unbreakability assumption; it might be the case that 
the RSA leaks some "valuable" partial information. I.e. it might be that given the 
ciphertext, one can compute some function of half of the bits of the plaintext. Proving 
that, under the unbreakability assumption, this is infeasible will make the RSA much 
more attractive. This seems to be a high tool. Research attempts are meanwhile focused 
at the feasibility of guessing correctly the least significant bit of the plaintext (i.e. 
RSA's Ls.b.) 2 . 

By saying that RSA's Ls.b is p-secure we mean that guessing it correctly with 
probability at least p is as hard as inverting the RSA. Consider an oracle that when 
given the encryption (using the RSA) of a message guesses the least significant bit of 
the message correctly with probability p. Such an oracle will be called a p-oracle for 
RSA's l.s.b . Clearly, the existence of a polynomial time algorithm that inverts the 
RSA using a p-oracle for RSA's l.s.b implies that RSA's l.s.b is p-secure. 

It is believed that RSA's l.s.b is (5 + e)-secure , for arbitrary small constant e. 
Proving this statement might be a major breakthrough on the way to proving that any 
"valuable" partial information about the message encrypted by the RSA is as hard to 
get as inverting the RSA. Progress towards this goal has been slow but consistant, in 
the recent years. 

1 To be exact, N is the produce of two large prime9, p and q. <p(-) is the Euler's totient function, 
thus <fi(pq) — (p -])(?- !)• 

1 Nevertheless, results have been achieved also w.r.t. other kinds of partial information. For details 
consult [BCS] and [W2j. 
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The first, step was taken by Goldwasser Micali and Tong (GMT] who proved Uiat 
RSA's l.s.b is (l — y^-j)-secure, where |N| is the size of the USA's modulus. 

Ben-Or, Chor and Shamir greatly improved this result by proving that USA's l.s.b 
is ()j + c)-securc, where £ is fixed and arbitrary small. Their paper [BCS] contains an 
algorithm which inverts the RSA function. Their algorithm uses a (\ + t)-oracle for 
RSA's l.s.b (in order) to determine the parities of certain multiples of the original 
message. For further details consult [BCS] or [VV2j. 

Vazirani and Vazirani [Wl] have presented a very sophisticated modification of 
the algorithmic procedure used by Ben-Or, Chor and Shamir. The theme of their 
modification is a much better use of the oracle answers. They showed that their 
modification is guaranteed to succeed when given access to a 0.741-oracle for RSA's 
l.s.b. Recently, they have improved their analysis by showing that their modification 
is guaranteed to succeed even if it uses a 0.732-oraclc. 

Using the combinatorial results obtained in this paper, we show that the Vazirani 
and Vazirani algorithm is guaranteed to succeed when it uses a 0.725-oracle for RSA's 
l.s.b. Other observations w.r.t the Vazirani and Vazirani algorithm as well as w.r.t 
other inverting algorithms are also implied. 

1.2. Our Results 

The following problem occured to us when trying to improve Ben-Or, Chor and 
Shamir's result [BCS]: 

Let s be a n-bit string with m ones and n — m zeros. Two bits in the string s 
are said to be t-close if they are within distance t apart. Denote by CEt(s) the 
number of pairs of equal t-close bits in the string s . What is the minimum 
value of CEt(-), over all n-bit strings which consists of m ones and n — m zeros? 

In Sec. 2 we prove a (reasonably) tight lower bound on this combinatorial problem. 
With respect to proving the "amount" of security of the least significant bit of the 
RSA, this is a double-edged- sword: 

(1) It provides a powerful tool for analyzing certain algorithms for inverting the 
RSA using an (g -f <5)-oracle for RSA's l.s.b . 

For example the algorithm proposed by Vazirani and Vazirani [VVl] is shown 
to work when it uses any 0.725-oracle for RSA's l.s.b (i.e. 6—0.225). This 
establishes the best result known conserning the security of RSA's l.s.b . 

(2) It points out the weakness of various proof techniques for determining the 
cryptographic security of RSA's l.s.b . 

For example the Vazirani and Vazirani algorithm [VVl] may fail to invert if it uses a 
|-oracle for RSA's l.s.b . 

These implications will be discussed in Sec. 3 . We believe that the combinatorial 
result has also other implications. 
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2. The Combinatorial Results 

In this section we give a formal definition of the combinatorial problem, discussed 
in the introduction, and prove a (reasonably) tight lower bound on it. 

2.1. Definitions 

Let s = (so, s\ , S'>, .-, S|.,|_ |) be a binary string of length \s\. We denote by s/i,(s) 
the string which result from s by the application of i left cyclic shifts. I.e: 

shi(s) = (s,-,s,- + i,s,- +2 f, s « + |»|-i) , 

where indices are considered modulo \s\. 

Define the i-overlap of a string, s, to be the number of positions which agree in s and 
shi{s). The i-overlap of s will be denoted by ouer,(s) , i.e. 

ouer,-(s) - Hamming(s = s/i,(s)) , 

where = denotes the bit by bit equal operation and Hamming(s) denotes the number 

of ones in s . Note that overi(s) = 0 < j < |s| A Sj = s j+i}\ • 

Denote by AverOver(s,t) the average over the i-overlaps of s for i £ {1,2, -,t}. I.e. 

1 t 

AverOver(s, t) = - ]T) ouer,(s) 
* «'=l 

We remind the reader that CEt(s) was used to denote the number of pairs, of equal 
bits which are within distance t apart, in the string s . I.e. 

CE t {s) = 0 <i < j < n A »,■ = «,■ M -i < 01 . 

where n = | s \. 

Clearly, CE^(a)=E,Li|{j: 0 < j < n ^ Sj = s j+i }\. Thus, 

CE t {s) = t -AverOver(s,f) . 

When evaluating CE t (s) consider "lines" which connect equal i-close bits in s (i.e. 
positions that contain equal values and are less than t bits apart in the string s). These 
lines are hereafter called overlines. Note that CEt[s) is nothing but the number of 
over lines in the string s. 

Let n and m be integers such that 0.5n < m < n. Let S — m °' 5n . We denote 
by the set of n-bit binary strings with m=(0.5 + 6}n ones (and n — m zeros). 

Denote by Aver(n,i5,t) the minimum value of AverOver(-.i) divided by n, when 
minimized over all strings in 5*. I.e. 

Aver(n,6,£)= min sg 5ii { • AverOver(s,t) }. 

It is straightforward to see that for every s € 5*, AverOver(s,n)=(0.5 + 2S 2 )n. 

In this section we study Aver(n,<5,i) for arbitrary t, t<n. We obtain non-trivial 
results, as the surprising fact that Aver(n,0,t) converges to \fl — 1 «s 0.414 , when j 
and t are large enough. 
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2.2. Propositions 

We will assume throughout this section that t < ^(n — 2) . We will analyze Avcr(n,6,t) 
as follows: first we will show that the minimum of CEi(-) is achieved by strirrgs which 
belong to a restricted subset of S* ; and next we will minimize CE t {-) over this subset. 
This will establish a lower bound on Aver(n,6,t). The upper bound will be implied 
by the proof of the lower bound, since this proof specifies a string s£S* for which 
CEt(s) !=s nt •Avcv(n,6,t). 

2.2.1. Reduction into a restricted subset 

In this subsection we will show that when analysing Aver(n,<5,t) it is enough to consider 
strings in S„ which have the following property: 

The string contains no "short 3- alternations substring". A short 3 -alternations 
substring is a substring of the form ct + o + t and length less than t + 2, where 
c 7^ t € {0, 1}. (Here, and throughout this paper, cr + denotes a non-empty string 
of ff'8.) 

Proposition 1: over^s) = overi(shj(s)) 

Prop. 1 follows directly from the definitions which consider strings as if they were 
cycles. From this point on, we aJso take the liberty of doing so. 

The proofs of the following propositions are omitted; they can be found in the full 
version of this paper ([G84]). 

Proposition 2: Let Oj £ {0,1}, for 1 < ; < 2t. Let a be a binary string. Let 
n Tl r 2 = CEt(o\a2- ■ •ctrir2<7t + iCTt+2- ■ -o~2ta) ■ Then njo - noi = 2(ci — 02t)- 

Note that switching rj and t 2 in the string • •<tt'T\' r 'l a t+\ <I i+v • -02t a results in 
the string c\o-2- ■ •o-t T 2 T i°'t+i°'t+2- • -o-ua. The latter string has more overlines (than the 
former one) only if a\ — T2 ^ t\ — ff2n- Note that the latter string has less overlines 
if o\ — n 7^ r 2 = o 2n . 

Proposition 3: Let a be a binary string and let x,y,z,u be integers such that 
i + y > t but y + z < t. Then: 

(i) CE t [ffT*a*T'- 1 oTa) < CE t [or*(r*T*ea). 

(ii) CEt{<rr*o*T*- l tTTO u - x i t -°oa) < CE^aH^^r^aa). 

(iii) CEt(<TT z o*<jT z cc) < CE t {(TT x ^T z aa). 

Proposition 4: Let s 6 be a binary string such that CEt(s) = n-t-Aver(n,6,t). 
(I.e. s is a string with minimum number of overlines among all strings in S* .) Then 
there exist a string, S* € S s n , such that : 

(i) The string s' contains a substring of the form 10 + l + 0 the length of which is 
at least t + 2. 3 

(ii) CE t {s') < CE t {s) + i 2 . 



' We remind the reader that o + denotes a non-empty string of as. 
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Proposition 5: Let s' £ SJ 1 , be a string, with minimum number of overlines, 
which satisfies Prop. 4 . Then with no loss of generality, the string s' contains no 
substring of the form I0 + l + 0 the length of which is less than t + 2. Furthermore, the 
string s' contains at most one substring of the form 01 + 0 + l the length of which is 
leas than t + 2. 

We remind the reader that CEt(s') < n£Aver-(n,<5 ,t)+t 2 and that s' £ S*. 

Proposition 6: Let s' 6 S„ be a string as in Prop. 5. Then there exist a string 
s" € 5* such that: 

(i) The string s" contains no substring of the form 10 + 1 f 0 the length of which 
is less than t + 2. 

(ii) The string s" contains no substring of the form 01 + 0 + l the length of which 
is less than t + 2. 

(iii) CE t {s") < CE t (s') + t 2 . 

We remind the reader that our objective is to given a good lower bound on 
Aver(n,<5,f)=min,, e 5« ^CEf(s). Note that we have restricted our attention to strings 
that donot have short 3- alternations substrings; i.e. substrings of the form 01 + 0 + l 
or 10 + l + 0 which have length less than t + 2. This is sufficient since there exist such 
a string, namely s", that has approximately the minimun number of overlines. I.e. 
CE t {s") < nt Aver (n, 6 ,t)+2t 2 . Formally we define R 6 n to be the set of strings which 
belong to 5* and do not have short 3-alternating substrings. Aver#(n,<5,i) will denote 
min r€/f« 7Tt CE t{ r )- Clearly, 

Proposition 7: Aver(n,<5,t)<Aver/;(n,<5,t)< Aver(n,£,t)+^. 

Let us define even a more restricted subset of S*: The set MR„ is the subset of 
strings which belong to i?* and do not have long homogenous substrings; i.e. substring of 
the form a t+i , where a £ {0, 1}. Also, Aver m n{n,8 ,t) will denote min reA //j>« ^CEt{r). 
Let us first give a tight lower bound on AveTM[i(n,6,t) and only later prove that this 
bound is approximately also a bound for Aver#(n,£,t). 

2.2.2. Lower bound for Aver Af«(n,<S,t) 

Recall that each of the strings in MR„ C has the following properties: 

(i) The string contains no short 3-alternating substrings. 

(ii) The string contains no long homogenous substrings. 

We will relay on the above properties of the strings in MR s n in order to bound 
AveTM]t(n,6,t). Given a string r £ MR^ we will introduce an expression, for CEt{r), 
which depends only on the numbers of bits in each maximal substrings of consecutive 
equal bits. In other words, we will introduce a localized counting of CEt(r). 

Definition: We say that 6 is a block (an all-cr block) of the string r if it is a maximal 
substring of equal bits. I.e. b = o + and r = rbra, where r a and a is an arbitrary 
string. 
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Denotations: Let q denote the number of all-zero [all-one] blocks in r. Beginning from 
an arbilrary position between an all-one block and an all- zero block and going cyclically 
from left to right; number the blocks of consecutive zeros [ones] by 0,1,2,. . .,(q — l) . 
Denote by z,- the number of zeros in the i-ih all- zero- block and by y, the number of 
ones in the z'-th all-one-block. I.e., r = OM^O-' l yi 0 z n y -- ■ Q'i~ x l"*- 1 . 

Proposition 8: Overlines occur (in r) only cither within a block or between two 
consecutive blocks (of the same bit). 

Remark: Note that Prop. 8 holds even if r £ R* n . 

This suggests to evaluate the number of overlines (in r) by counting the 
"contribution" of each (homogeneous) block to it. This counting is hereafter referred 
as the Block-Localized Counting (BLC) and proceeds as follows: 

Block-Localized Counting (with respect to a block of length / in r): 

(i) The number of overlines within the block, denoted 

(ii) The number of overlines between bits of the blocks neighbouring this block 
(i.e the first block on its left and the first block on its right), denoted B{. 

Note that /; and B t are easy to evaluate and can be used to express CE t {r). Namely, 

Proposition 9: 

(i) CE t (r) = Zl'oiily; + B Vi ) + (4 + B 2i )), where r = o*oivo 0 -i i»i . . .()-'«-' 

(ii) For l<t,h = (£) and B, = i. 

(iii) For I = t, I t — and B t = 0. 

Remark: Note that for I > t, I t — Q) + {I - t)t and B t = 0. (Note that for k > 0, 
CE t (a t+k ) = CE t (o- t+k - 1 ) + t = CE t {a l ) + kt.) However such substrings donot exist 
in a string which belongs to MR 6 n . 

Evaluating // + Bi we get 

Proposition 10: The contribution (to the BLC) of one i-bit long block (in r) is: 

f(l) = P-(t + l)l+£±± . 

Note that the contribution of all the all- zero blocks to the number of overlines (in r) 
only depends on the way the zeros are partitioned among the all-zero blocks. (I.e. it 
is independent of the way the ones are partitioned among the all-one blocks.) This 
contribution amounts to: 

g{z 0 , zi, .., z,_i) = E'lo /(•*.) , 

where r = 0 z °l w 0*i I s " ••• 0 2 «- 1 l v «- 1 . 
Note that g(-, •) is a quadratic form and therefore 

Proposition 11: For fixed q, t and k, the minimum value of the function 
g(xQ, x\, .., i ? -i) subject to the constraint k — £{Z 0 z,-, is obtained at 10 = 2:1 = 

••• = z 9 _ 1 = f . 
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Thus, the minimum number of ovoriines is achieved if all the all-zero- blocks [all-one- 
blocks] arc of the same size. This yields 

Proposition 12: Let Q = {q £ Integers : ™ < q < n - m). Then: 
nLAveT XII{ (n,6,t) > mm qCQ { q • (/(f) + /(^))} . 
We remind the reader that m = (0.5 + S)n . 
Elaborating the r.h.s. expression of Prop. 12 we get 

Proposition 13: Aver m n{n,6 ,£)> min ?e g{/if t (9)}, where 

Note that 

Proposition 14: The minimum of the function /i* (■) is obtained at: 



9mm — y t \t+i) ■ n > 
and the minimum value, h*(9 mtn )) i s: 

v* = V( 2 + 8 ' 52 ) • 

Thus, Aver jvfrt(n, ($,£)> u*. All that is left is to derive a lower bound for Aver/j(n,i5,t). 

2.2.3. Lower bound for Aver^(n,5,i) and Aver(n,<5,t) 

In this subsection we show that a string, ro 6 -R*, with minimum overlines can be 
transformed into a string rjj 6 Mi?*/, such that n' « n, f « i and C£(r 0 ) « CEt(ro). 
We conclude by using this fact and the lower bound for AveiMi{(n,6,t), to introduce a 
lower bound for Aver#(n,(5,t). 

Proposition 15: Let ro <E R„ De a string with minimum number of overlines; i.e. 
CE t (r 0 } = nt Aver 1{ {n,8,t). Then: 

(i) For a £ {0, l}, either ro contains no substring of more than t consecutive a's 
or ro contains no block of less than t consecutive a's. Futhermore, w.l.o.g, ro 
contains atmost one substring of more than t consecutive a's. 

(ii) If t > then ro has no substring of the form a 11 . 
(hi) If t < |y then Aver(n,<5,*)=2<5. 

(iv) If t > |~ then there exist a k < t, a 6' > 6 and a r' Q 6 MR„ +k such that 

CE t {r 0 )> CEtfa) -kt . 

We conclude by using Prop. 15( t „) and the lower bound for Aver^fl(n,<5,t), to introduce 
lower bounds for Avein(n,S,t) and Aver(n,£,i). 
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Proposition 16: If t > if-- then 

(i) There exist 0 < k < t and 8' > 6 such that 
AveTi { (n,6,t)>Avct Mli (n + k,6',t)-± . 

(ii) AycT R {n,6,t)>v* t - l - . 

(iii) Aver(n,«,*)>«t ~ 7T • 

2.3. The Main Results 

Throughout this section we assume that j~ < t < |(n — 2) . 
Lower Bound Lemma: Aver(n,£,i) is a* least 

The proof follows immediately from Prop. 14 and 16^j . 
Upper Bound Lemma: Aver(n,i5,t) is at most 

The proof follows from observing that the proof of the lower bound specifies the 
structure of a string which achieves minimum CEt{-) among all strings in MR 6 n . The 
only problem in constructing such a string is that non-integer numbers, of blocks and 
block sizes, may appear. However, the overlap added by the round-up of the number 
of blocks is less than ~^- \ while the overline added by the round-up of the blocks' sizes 
is less than jfi. For details see the full version of this paper. 

Evaluating the expressions in the above lemmas we get 

Corollary 1: 

(i) v/2 - 1 - 0{\) < Aver(n,0,i) < yft - 1 + 0(£) + 0(£) . 

(ii) For t > 2500 and n > 300000 • t, Aver(n,0.177,f) > \ + 0.0001 . 

(iii) For t > 500 and n > 10000 • t, Aver(n,0.225,f) > 0.55 + 0.0001 . 

(iv) For every 2500 < t < and 6 < 0.176 , Aver(n,£,t) < \ • 

(v) For every 500 < t < and 6 < 0.224 , Aver(n,«5,t) < 1 - 26 . 

2.4. Additional Definitions and Results 

In this section we define a different, yet related, combinatorial problem. Instead 
of considering the average overlap over all "small"' 1 shifts; we consider the maximum 
overlap obtained by one of the "small" shifts. 

Let us define an i-overline to be a line which connects a pair of equal bits which 
are (exactly) at distance i apart. 



4 Here, "small" means not greater than t. 
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Denote by MaxOver(s,£) the maximum over the t-ovcrlaps of s for i £ {1,2, -,t}- le. 

MaxOver(s,£)=maZ|<i< t { over,-(s) } . 

Denote by Max(n,£,£) the minimum value of MaxOver(s,f) divided by n, when minimized 
over all strings in S* . I.e. 

Max(n,£,/)= mi7i 8 g(y» { • MaxOver(s,<) }. 

Clearly, 

Proposition 17: Max(n,6,£) > Avcr(n,<5,£). 

This establishes a trivial lower bound on Max(n,<5,i). We donot bcleivc that this bound 
is tight; however we failed to prove a better one. On the other hand the following 
proposition yields an upper bound on Max(n,0,f). 

Proposition 18: ((i) is folklore and (ii) appears in van Lint[L]) 

(i) For every De-Bruijn Sequence 5 , s, of length 2 k and every i, i £ {1, 2, .., k — 1} 

overi(s) = -y- • 2* . 

(ii) For every k there exists a Shortened De-Bruijn Sequence 6 , s, of length 2* — 1 
such that for every i, i € {1, 2, .., 2* — 2} , 

overi(s) = 2 k-1 -1 ss \ ■ (2* - 1) . 

Using Prop. 18 we also obtain an upper bound on Max(n,6 ,t); i.e. 
Proposition 19: [Here q is an integer.] 

(i) For t + 1 = I = 2 k - 1, n — ql and 6 = tSgpi, Max(n,<S,t) < 2 +<$ ~ rpr + £• 

(ii) Max(n,<S,<)<Max(n,<5,f + 1). 

(iii) Max(n,<J,<)< % + 6 + 0(±). 

The proof appears in the full version of this paper. 



5 The 2*-bit long siring (a 0 , a t , a 2 , «2*-i) i s a De-Bruijn Sequence if (when considered in circular 
order) it contain as substrings all possible bib-strings of length k. 

6 A Shortened Dc-Bruijn Sequence, of length 2* — 1, is a 2*-long De-Bruijn Sequence in which a zero 
has been omitted from the all-jero block of length fc . 
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3. On the Cryptographic Security of the RSA'sL.S.B 

In this section wc apply the results of the privious section to the analysis of 
algorithms which invert the RSA encryption function when given access to an oracle 
for the least significant bit of the encrypted message. This implies results (concerning 
the security of RSAji l.s.b.) which fall into the following three categories: 

(i) A 0.725-security result (for RSA's l.s.b) 

(ii) Conditional improvements of the above result. I.e. results which will hold if 
some conjecture is proven. 

(iii) Bounds on the possibility of improvements using current techniques. 

3.1. Specific Background 

Our 0.725-security result is based on Vazirani and Vazirani work [Wlj, which is 
an improvement of Ben-Or Chor and Shamir [BCS] work. In this subsection we sketch 
some of the ideas used in these nice works. 

3.1.1. A Sketch of Ben-Or Chor and Shamir Algorithmic Procedure 
The essence of the Inverting Algorithm: 

The plaintext is reconstructed , from its encryption, by running a g.c.d procedure 
on two multiples 7 of it. The values of these multiples (as well as the values of all 
multiples discussed hereafter) are "small" 8 . A Modified Binary G.C.D algorithm 
is used. To operate, this algorithm needs to know the parity of multiples of the 
plaintext. Thus, it is provided with a subroutine that determines the parity of 
these multiples. (see [BCS]) 

Determining Parity using an Oracle which may err: 

The subroutine determines the parity of a multiple ,kx, of the plaintext ,x, by 
using an (5 -I- o")-oracle for RSA's l.s.b as follows. It picks a random r and asks 
the oracle for the parity (i.e. l.s.b) of both rx and rx + kx feeding it in turn with 
E{rx) = E{r)E{x) and E{{r + k)x) = E(r + k)E{x) 9 . The oracle's answers are 
processed according to the following observation. Since kx is "small" with very 
high probability rx < rx + kx . Then, the parity of kx is equel to 0 if the parities 
of rx and rx + kx are identical; and equal to 1 otherwise. This is repeated many 
times; every repetition (instance) is called a fci-measurement (or a toss of the 
fci-coin). Note that the outcome of a fcz-measurement is correct if the oracle was 
correct on both rx and rx + kx . The outcome is correct also if the oracle was 
wrong on both queries (but this fact is not used in [BCS]). 



7 All integers and operations arc considered modulo ,N, the RSA's modulus. 

8 Here and throughout the rest oF the paper "small" means bounded by a very small fraction of the 
RSA's modulus. 

9 E(M) denotes the RSA encryption function. Recall that E[M) — M' {mod N), where JV and e 
are respectively the USA's modulus and exponent. 
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(Trivial) Measurement Analysis: 

A /cx-coin toss is correct with probability at least 25 . 

(This suffices if 6 = ± + 1 , see [BCS]) 
3.1.2. A Sketch of Vazirani and Vazirani Modification of the BCS-Procedure 
Distinguishing a Good Coin from a Bad one: 

For S < J; if when running a Monte-Carlo experiment on a fci-coin toss, more 
than a 1-26 fraction of the answers agree on some value, then this is the correct 
value. (In such a case the coin is said to be distinguishably good. See [Wl]) 

Using Distinguishably Good Coins: 

Let t be a fixed constant and K be a set of cardinality 0(log TV). If for every k £ K 
there exist a 1 < j < t such that the (j ■ kx)-coin is distinguishably good then one 
can determine the parity of kx. (This is done by replacing every /ci-measurement, 
of the subroutine, by a set of O(loglogN) measurements, see [Wl]). (The above 
condition will be referred to as the Distinguishability Condition.) 

Vazirani and Vazirani combined the above sketched ideas to an algorithm that inverts 
the RSA using a (| + 6)-oracle. It remained to be shown that when given certain 
oracles for RSA's l.s.b the Distinguishability Condition holds. In [Wl] Vazirani and 
Vazirani proved that the Distinguishability Condition holds for any 0.741-oracle for 
RSA's l.s.b.; in [W2] they improved their analysis and showed that this condition 
holds for any 0.732-oracle. 

3.2. Cryptographic Implications of our Combinatorial Results 

It is easy to show that the Distinguishability Condition is equivalent to the 
following condition, hereafter referred to as the Big-Advantage Condition : for some 
fixed t, Max[N,S,t)>l- 26 + e . 

(Use oracle transformation through multiplication by the inverse of fci mod N. Note 
that if the inverse does not exist it is feasible to factor N and inverting the RSA 
becomes easy.) This was also observed by Vazirani and Vazirani [W2]. 

Thus, we can summerize Vazirani and Vazirani's [Wl] work by the following 

W-Theorem: Let N be the RSA's modulus and t be a fixed constant. If 
M3x(N,6,t)>l —2S + € then any (j + <5)-oracle for RSA's l.s.b can be used to 
efficiently invert the RSA. (In other words: if the Big Advantage Condition holds 
for 6 then RSA's l.s.b is [\ + 6)-secure.) 

By our results, the Big-Advantage Condition holds for 8 > 0.225 . Namely, using the 
W-Theorem, Prop. 17 and Corollary l(,j,) we get 

Corollary 2: Any 0.725-oracle for the least significant bit of the RSA can be 
efficiantly used to invert the RSA. 
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In other words 

Theorem: USA's I.s.b. is 0.725-sccurc. 

Note that the result of corollary 1 (,-,-,■) is tight. Thus under the condition 
A\cr(n,6,t) > 1 — 26 + c , the result of Corollary 2 is optimal. However, 
Aver(n,<5,£)>l — 26 + t , is more than is needed to satisfy the Big-Advantage Condition. 
(Recall that the Big- Advantage Condition requires only that Max(n,<5,i)> 1 — 26 + £.) 
Thus, any improvement of the current lower bound on Max(n,5,<) will yield an 
improvement of the result of Corollary 2. We bcleive that Max(n,6,t)> Aver(n,5,f) and 
thus that such an improvement is possible. Furthermore we conjecture that 

Conjecture 1: Max(n,<5 ,£):== \ + 6 . 

Combined with the W- Theorem this implies 

Corollary 3: If Conjecture 1 is valid then RSA's l.s.b. is (jj + £)-secure, for 
arbitrary small fixed e. 

Note that under the Big-Advantage Condition the "result" of Corollary 3 is 
optimal. This is due to Prop. 19(,-,-,-) which states that Max(n,£,4)< ^ + 6 . Thus, 
using the W- Theorem (or any proof technique which requires that the Big- Advantage 
Condition holds) one cannot hope to prove that RSA's l.s.b is |-secure. 

Let us conclude by pointing out that the full power of the results obtained in 
section 2.3 was not used; however, we conjecture that it can be used. Namely, 

Conjecture 2: Let N be the RSA's modulus and t < < N. If Aver(N ,6 ,t)> % + e 
then any (| + <5)-oracle for RSA's l.s.b can be used to efficiently invert the RSA. (In 
other words: if Aver(AT,<5,t)> \ + e then RSA's l.s.b is [\ + <S)-secure.) 

The condition of the statement of Conjecture 2 is hereafter referred to as the Average- 
Advantage Condition. By Corollary 1 , the Average- Advantage Condition is satisfied 
by 6 = 0.177; thus 

Corollary 4: If Conjecture 2 is valid then the RSA's l.s.b is 0.677-secure. 

Note that 6 — 0.177 is the minimum for which the Average- Advantage Condition 
is satisfied. Thus no progress beyond the 6 = 0.177 point can be made through the 
Average- Advantage Condition; i.e. when relying on it one cannot hope to prove that 
RSA's l.s.b is 0.676-secure. 

Note that in Corollary 4 the missing part to reach the stated result is the 
algorithm that will use the analysis. (The analysis of the question which oracles 
satisfy the Avarage-Advantage Condition is complete!) However, in the case of the 
Big-Advantage Condition improved results can still be achieved (just) by improving 
the analysis of the combinatorial problem (see Corollary 3). 
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4. Conclusion 

We have solved a combinatorial problem and have shown how to use this solution 
to improve knowledge on the security of RSA's l.s.b . We have also pointed out possible 
directions for further improvement of our result. Improved results can be obtained by 
either conducting a better combinatorial analysis of Max(-, •, •) or by suggesting an 
inverting algorithm based on the Aver age- Ad vantage Condition. 

However such improvements will not suffice to show that RSA l.s.b. is ^-secure. 
We believe that any improvement in the results concerning the security of RSA's l.s.b , 
beyond the j| point (which is still out of reach), must make use of additional properties 
of the RSA. 

5. Epilogue 

Meanwhile, Schnorr and Alexi [SA84] proved that RSA l.s.b is (| + e)-secure, for 
every fixed e. Thus, the above coclusions are no longer of interest. 

Schnorr and Alexi's proof is based on guessing the parity of 0(log log N) randomly 
selected positions and using these positions in all measurements of Ben-Or, Chor and 
Shamir's algorithmic procedure. Thus, the oracle is queried only about one end-point 
of each measurement and the analysis is w.r.t single positions rather than being w.r.t 
pairs of close positions. 

Further improvement was achieved by Chor and Goldreich [CG84], who proved 
that RSA l.s.b is (5 + N )- secure, for every fixed c. 
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ABSTRACT 

The Matsumoto-Imai public key scheme was developed to provide very fast signatures. It is 
based on substitution polynomials over GF(2 m ). This paper shows in two ways that the 
Matsumoto-Imai public key scheme is very easy to break. In the faster of the two attacks the time 
to cryptanalyze the scheme is about proportional to the binary length of the public key. This shows 
that Matsumoto and Imai greatly overestimated the security of their scheme. 
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1. INTRODUCTION 

Several attempts have been made to use the fields GF(2 m ) [l] in cryptography. The motivation 
is that these fields allow very fast computation and are very easy to implement in hardware [2]. 
However, many such attempts quickly yielded to cryptanalytic attacks. For example, an extension 
of the RSA scheme to the fields GFi2 m ) [3] was immediately broken [4,10]. The security of the 
fields GF(2 m ) in public key distribution systems [5] was also overestimated [6]. Cryptanalysis is 
possible there if the dimension m of the field GF{2 m ) is less than 1000 [6]. 

The Matsumoto-Imai public key scheme [7] also uses the fields GF{2 m ). It allows generation of 
signatures much faster than the RSA scheme. Moreover the scheme is very easy to implement. 
However, in this paper we give two efficient algorithms to cryptanalyze the Matsumoto-Imai public 
key scheme. 

First the details of the Matsumoto-Imai scheme are presented, based on our interpretation of 17]. 
Then an overview of the first and second cryptanalytic attack are given. Both attacks use the public 
knowledge of the construction algorithm for public keys, and find secret parameters used in the 
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construction of the public key. These algorithms are then presented in detail. 

2. THE M ATSli MOTO-IMAI PUBLIC KEY SCHEME 

The Matsumoto-Imai [7] enciphering is defined over GF(2 m ), the message space. The public 

2--2 

key is a substitution polynomial [1]: E(X) — S e t X' . For a message Y, which belongs to 

1-0 

GF(2 m ), the ciphertext is E{Y), In order to have a "short" public key and to be able to encipher 
rapidly, most of the e t must be zero. To that end, EiX) is constructed as E(X) = aib+X") 0 
modulo (X 2 ~+X), where the Hamming weight [2] of 0 is r. One can then easily prove that only 2 r 
coefficients e t will be non-zero. If r is small (e.g., 14, as suggested in [7l), the public key is not too 
long. EV() in expanded form is made public, while a,b,a, and 0 are kept secret in order to be able 
to decipher fast. In order to specify E(X), the field GF(2 m ) has to be made public also, and r can 
be deduced from the number of non-zero coefficients. Therefore we have: 

Remark: One can consider that m and r are given, so these values do not have to be deduced. 

3. MAIN PRINCIPLES FOR THE CRYPTANALYSIS OF THE MATSUMOTO-IMAI PUBLIC 
KEY SCHEME 

In order to allow a unique deciphering, the system designer has to chose 
gcd(a,2 m — 1) — %c&(fi,2 m — 1) — 1, and so from now on we will assume these conditions hold. The 
following theorems help to explain the cryptanalysis. 

Theorem 1: If the public key is constructed as mentioned above and f} is written as 

0-2 2"', with 0 < uj<m, (1) 
then the exponents of X with non-zero coefficients can be expressed as 

a 2 z,2"' (mod 2 m -l), with zj - 0 or 1 , (2) 
and their corresponding coefficients as 
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ab k with k = ^, (l-zj)2"> (mod2 m -l). (3) 
j-i 

Proof: Using the construction algorithm for public keys and (1), we have EOC) — 

a f[ (b+X") 1 ''. Since the characteristic of GF(2 m ) is 2, E(X) - a TJ (b 2 '' + X" 1 '') , and using 
;-i y-i 

X 2 " = X modulo ^T 2 " + X we obtain (2) and (3). ■ 

Corollary 1: At least m different (a,b,a,0) determine the same enciphering key. 

Proof: Choose a = 2 h a and ff = 2 m ~ h 0 (modulo 2 m -l) and use the proof of Theorem 1. ■ 

It is sufficient to find any one of these equivalent (a,b,a,$) in order to break the scheme. To 
simplify the description, all these equivalent keys will be called the secret key. We will sometimes 
suppose in the paper that u j — 0, which by Corollary 1 entails no loss of generality. 

Corollary 2: If u ] — 0 then b — (coefficient of X to the power 0)/(coefficient of X to the power 
a) and a — (coefficient of X to the power 0)lb&. 

Proof: Can be verified easily using Theorem 1 . ■ 

Theorem 2: If gcd(a,2 m -l) - 1 and gcd03,2 m -l) - 1, then the list of exponents of X in 
E(X) with nonzero coefficients contains a unique subset of size r of the form 
{2 v 'a\ , 2 V! ai,...,2 v 'a 1 } ( modulo 2 m — \). Taking Corollary 1 into account one has a — a\ and 
£ - 22"-'. 

Proof. In view of Theorem 1 this subset is actually present in the list of exponents. Let now 7 
be any other element of the list, say 7 = (2 P ' + 2 P ' + ... + 2f')a (modulo 2 m -l), where 
{puP2,-~,Ps\ is a subset of [u\,ui,...,u r } with s > 2. We shall prove that the list contains fewer 
than r elements of the form 2*7 (modulo 2 m — 1). First it is clear there cannot be more than r such 
elements, because for each /, each sum (modulo m) must coincide with one of the integers 

ui,u 2 ,...,u r . If there were exactly r elements, then one would necessarily have p\+kj = u^y) and 
p 2 +kj = u„(j) (modulo m), for j — 1,2, ...,r, where x and a are two permutations on {l,2,...,r}. 
Taking the binary exponential of these identities and adding the results together (for j — l,2,...,r) 
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one readily obtains 0(2?'' p ' - \) = 0 (modulo 2 m -l), which is impossible since gcd(/8,2 m -l) - 1 
and p 2 ^ P\- ■ 

If one finds an a\ which satisfies the above property, then a will be chosen equal to ot\. The 
calculation of /S is then trivial; it is in fact obtained at the same time as a. Once a and 0 have been 
found, a and b are calculated using Corollary 2. As a consequence of Theorem 2 and the remark at 
the beginning of this section, one does not need to check that the obtained a is correct! Two 
algorithms will now be presented which find a and /3. The first algorithm uses the calculation of the 
inverse of elements modulo 2 m — 1. The second one is based on shift operations and sorting 
algorithms. 

4. CRYPT ANALYSIS USING INVERSE CALCULATION 

4.1 The Principles Of The Algorithm 

Exponents of X with non-zero coefficients will be written as i k , with 1 < k < 2 r . For each 
k, Kfc<2', we test whether a— i*. If gcd(/i,2 m — 1) is not equal to one, a wrong choice for a was 
made. If gcd(/'t,2 m — 1) — 1 then several techniques can be used to find In one of them the 
cryptanalyst first calculates 

/, = (mod 2 m -l), 1 «S t < 2'. (4) 

In view of Theorem 2, if r values of // are powers of 2, then i k is a, and /J is the sum of these r 
values of If no such r values are found, continue the exhaustive search. Because r is small this 
exhaustive search is fast. 

4.2 Speed Evaluation Of The Algorithm 

The number of elementary steps (such as additions and shifts) used in the above cryptanalytic 
algorithm will be analyzed. First the complexity of each step will be obtained; next this value will 
be multiplied by the number of times each step is executed. 

The calculation of the gcd(;' (k ,2 m — 1) and the calculation of i k ~ l , if it exists, can be done at once. 
This requires O(m) steps [8] (subtractions or shifts). This means in total 0(m2') steps during the 
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exhaustive search for a. The calculation of (4) requires in practice Oim 1 ) [8 J elementary steps 
(additions and small multiplications). For larger values of m better algorithms (e.g., using the 
FFT) can be used [8]. This means for the exhaustive search that (4) is executed in worst case in 
0{m l 2 2r ) steps, while on average it takes, Obn^/r) steps. The calculation of |3 requires for each 
trial 0(log2 m) steps. We conclude that the cryptanalysis requires 0OM 2 2 2 Vr) steps on average, 
and 0(m 1 2 lr ) in the worst case. The next algorithm has an improved speed performance. 

5. CRYPTANALYSIS USING SHIFT OPERATIONS 

5.1 The Principles Of The Algorithm 

In the second method of attack we partition the exponents of X with nonzero coefficients into 
sets S p . Two different exponents i k and i; of X, with non-zero coefficients, will belong to the same 
set S p if and only if for some s, i k = 2 s i\ (mod 2 m — 1). In other words, i k and i; belong to the 
same set S p if one can obtain i k from // by a suitable rotation of its binary representation. The 
cryptanalysis consists of determining all different sets S p for all exponents of X with non-zero 
coefficients. Using Theorem 2 exactly one S p , which we call S r , will contain r elements. Using 
Corollary 2, any element of S r can be chosen as a. Identifying the required rotation operations for 
going from a to obtain the other elements of S r , we obtain /3. We now describe how the above ideas 
can be carried out. The speed of the algorithm will be discussed later. 

First we define a unique representative for each set S p . A value v p is the representative of the 

set S p if it is the smallest of the m values obtained by rotating 0,1,2 m— 1 times an element of 

the set S„. Note that v p can be viewed as the value of a function v (/) defined over the set 
(0, l,...,2 m -2) and satisfying v(i,) - v(i 2 ) if and only if /, = 2 s i t (mod 2"-l), for a certain s . 
This function v(i) will now be used to find a. We calculate v(i k ) for all 2 r exponents i k of A" with 
non-zero coefficients. The vQ k ) and i k together are written in lists A and B of 2 r elements, in 
which each element contains m bits. There is a unique element w that appears r times in list A, 
and then a can be chosen as any of the corresponding elements in list B. This search for w and a 
can easily be performed by sorting [9, pp. 2] the list A while simultaneously permuting the list B in 
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the same way. 

5.2 Speed Evaluation Of The Algorithm 

The calculation of v(i) requires m steps. Doing this for all the exponents of X that appear in 
E(X) takes mT steps. The sorting of list A, together with the permutation of list B, requires 
0{r¥) steps in practice [9, pp. 181-198, p. 381]. 

In total this algorithm requires 0(m2 r ) steps even in the worst case! 
6. CONCLUSIONS 

The Matsumoto-Imai public key scheme seems attractive from speed considerations, but is 
totally insecure'. Matsumoto and Imai estimated the cryptanalysis of their scheme would require 
about 10 20 steps if m — 127 and r — 14. However using our cryptanalytic attack using inverse 
calculation, on the same example, one needs only about 3*10" steps, which is performable even on a 
small computer. If one step requires 10 usee on a small computer, then the attack requires 36 days. 
If one step asks 100 Tjsec on a fast computer, the attack can be performed in only 8 hours. Using 
the cryptanalysis based on shift operations, one needs only 2*10 6 steps. Using the same small and 
fast computer, this requires 20 sec and 0.2 sec, respectively. On a fast computer, the cryptanalytic 
attack suggested by Matsumoto and Imai would require 3xl0 5 years. 

Remark: The second cryptanalytic attack requires about as many steps as the binary length of 
the public key! 

One could increase the security of the Matsumoto-Imai scheme by increasing m and r. 
However, even disregarding the fact that this might entail impractically large storage requirements, 
this would not produce an acceptable system. Evaluation of the publicly known function E VC) 
takes at least 2 r multiplications in GF{2 m ), and each such multiplication might be expected to take 
about m operation such as the shifts we utilize in our second attack. Hence the time needed to 
cryptanalyze the Matsumoto-Imai system is essentially the same as the time needed to use it once! 
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This paper presents a new trapdoor-knapsack pub lic-key-cryptosy stem. The 
encryption equation is based on the general modular knapsack equation, but 
unlike the Merkle-Hellman scheme the knapsack components do not have to have 
a superincreasing structure. The trapdoor is based on transformations between 
the modular and radix form of the knapsack components, via the Chinese 
Remainder Theorem. The resulting cryptosystem has high density and has a typical 
message block size of 2000 bits and a public key of 14K bits. The security is 
based on factoring a number composed of 256 bit prime factors. The major 
advantage of the scheme when compared with the RSA scheme is one of speed. 
Typically, knapsack schemes t:uch as the one proposed here are capable of 
throughput speeds which are orders of magnitude faster than the RSA scheme. 
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List of Principal Symbols 

a^ = a published knapsack component. 

a| = a secret knapsack component. 

a = the public knapsack vector = { a. a. , . . . , a^l . 

a' = the secret knapsack vector = ( a^ , » • - • , a^) , 

also transformable to the secret knapsack matrix. 

= a. mod p. = residue of the j th knapsack component 

^ 0 1 modulo the i th prime. 

D = density of the cryptosystem. 

b = number of bits in x. , the message sub-blocks. 

h = number of bits in p. 

i ,mm 

K = the number of distinct secret matrices a' . 

n = the number of knapsack components, 

also, the number of primes p. . 



a prime number. 

p = a set of n distinct primes = ( p , P n 

n 

p = | | p. = the product of n distinct primes . 

i=l 1 

PK = number of bits in the public key. 

n 



number of bits in 



.(i) 



n 

S = the cryptogram = a . . x . 

i=l 1 1 

S' = the transformed cryptogram = S . W ^ mod p . 

also equal to ( S ,(1) , S ,<2) , ... , S' (n) ) in modular form. 
W = a secret modular multiplier, relatively prime to p . 

x = the message vector = (x^ , x^ , ••• , * n ) • 
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Introduction 



Public-key-cryptosystems have received considerable attention over the last 
few years (Diffie and Hellman 1976, ref.l.). This is because such systems 
offer secure communications without the need for prior key distribution, and 
the possibility of digital signatures. The two most important schemes are the 
RSA scheme (Rivest, Shamir, and Adelman 1978, ref.2.), and the 
Trapdoor-Knapsack scheme (Merkle and Hellman 1978, ref.3.). Of these the 
Knapsack scheme has fallen into disfavour because of successful attacks on the 
original Merkle-Hellman scheme. Specifically, the attacks have not been on the 
encryption equation which appears secure, but on the fact that the knapsack 
components are transformations of a superincreasing sequence (Desmet 1982, 
ref.4). In addition, it has been shown that if the density of the knapsack is 
low, where density is loosly defined as the ratio of messagetext bits to 
cryptogram bits, then even non-superincreasing knapsacks are insecure 
(Brickell 1983, ref.5., Lagarias and Odlyzko 1983, ref.6.). Despite these 
problems knapsack schemes have one major practical advantage over the RSA 
scheme, and that is speed. This is because the encryption and decryption 
processes used are intrinsically faster than performing the modular 
exponentiations needed in the RSA. Typically, knapsack schemes can operate 
at throughput rates of 20Mbits/sec, whereas the RSA is limited to about 
50Kbits/sec, using current technology. 

The new trapdoor-knapsack presented in this paper uses the general modular 
knapsack equation (eqn. 1) , and does not require the knapsack components to 
be superincreasing. In addition, the system parameters can be chosen to give 
a very high density secure cryptosystem. The trapdoor is based on being able 
to transform between the radix and modular representations of the subset sums 
via the Chinese Remainder Theorem (Knuth 1968, ref .7. ) . The system bears a 
resemblance to the Lu - Lee (1979, ref. 8.) system, but whereas their 
cryptosystem is linear and has been shown to be insecure (Goethals and 
Couvreur, 1980, ref. 9.), ours is based on the general modular knapsack 
equation, which to date has not been generally broken. 
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The New Trapdoor 

The general modular knapsack equation is given by 
n 

S = 2 a. . x. mod p . eqn. 1. 

i=l 1 1 

When used for cryptography, the a's are the n published knapsack components, 
p is a published modulus, and the x's are the message bits. In the binary 
knapsack the x's are 0 or 1, but in the general knapsack they are g bit 
numbers. The subset sum S is the cryptogram which is sent to the legitimate 
user, who is the only one who can unwind the cryptogram back to the 
original x's. 

Let ( , Pg » • • • f P n ) be a set of prime integers whose product is given by 

n ... 
p = TT P • i and where a . = a . mod p . 

i=l 1 J J 1 

is the residue of the j th knapsack component modulo the i th prime. 
Then by the Chinese Remainder Theorem 

is a bijective mapping. That is, the transformation is one-to-one for all 

a's between 1 and p-1 . Thus if the factorisation of p is kept secret, then 

only the legitimate user will be able to transform the radix representation 

of the knapsack components into their modular representation. This forms 

the trapdoor. Let us now choose a set of n knapsack components and express 

them in both radix and modular form: 

a ,(D a ,(2) (n) 
a i ' a l ' ' a i 

a' C > a' (l) a' (2) a' (n) 
2 2 * 2 ' * * * 1 2 

a' = . eqn. 2. 

a- a' (l \ a' (2) a». 

n ^ n n n 

Let us then disguise the trapdoor by forming a new set of knapsack components 
via the modular multiplication 

a . = a '. . W mod p eqn . 3 . 

J J 

where W and p are relatively prime, and W - ^" is the multiplicative inverse of 
W , modulo p. 
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We now publish p , and the modified knapsack components ( a ) in radix 
form. This is the public key. The factorisation of p and and the integer W 
are kept secret, and hence so is the modular representation of the a'. 

Now let p > 2 h eqn. 4. 

that is, the primes are at least h+1 bit numbers. 

Ut X i,max < 2S 5 " 

that is, the message blocks are g bit numbers. 
( n . . . ) 

And let 2 at 11 ' < 2 r eqn. 6. 

( i=l i max 

that is, the columns of a' sum to an r bit number. 

In order to ensure that the encryption equation has a unique decryption, 
we must ensure that the message to ciphertext transformation x — >• S is 
injective. To guarantee this we must have 

h > r + g eqn. 7. 

which also ensures that modular multiplication is equivalent to matrix 
multiplication : 

{ S' (1) s- (n) ) - f * » w «.< 2 > ». (n) 

V o ,...,b J = I X , . . . , X } a ' ° ' 



1 n 



a^ T a^ , • . . , a^ 



a ,(D a ,(2) a ,(n) 
n n n 

i.e. S' = x . a' 

and that the transformation can be inverted (provided the matrix a' is 
non-singular) via 

x = S . a' -1 . eqn. 8. 

The cryptosystem then operates as follows. A user wishing to send us a 
message forms the ciphertext 

S = ( x, . a, + x„. a„ + ... + x . a ) mod p 

112 2 n n 

via equation 1. We compute S' via 

S 1 = S . W -1 mod p 
and express in modular form via our known factorisation of p : 

S- «-> ( s-* 1 ) s- (2) , ... , S' (n) ) 

we then apply x = S' . a' 1 and hence recover the message. 

The cryptanalyst must either break the factorisation of p or attack the 

trapdoor in some other manner. 
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A Small Example 

We now give an example of the above method using n=3. The example is of course 
too small for security. 

Let n = 3 and define p = ( 37, 41, 43 ) , hence p = 65231, and h = 5 (eqn. 4). 
Choose g = 2 , that is, the message components are two bit numbers. This 
dictates that r = 3 via equation 7. ( h = 5 > 3 + 2 ). Choose n = 3 knapsack 
components which satisfy equation 6, that is, the columns of a' add to <8 , 
and express in both modular and radix form: 

a| = ( 3 , 1 , 1 ) <-> 125174 

a' = a' z = ( 1 , 5 , 3 ) 151664 

a£ = ( 2 , 1 , 2 ) <-> 122509 . 

Now choose W = 6553 which is relatively prime to p = 65231. Perform the modular 
multiplication of equation 3 , and publish the resulting knapsack components : 

a 1 = 50628 

a 2 = 59907 

a 3 = 3560 

and the modulus p = 65231 . 

Compute the inverse W -1 = 2618 via Euclid's algorithm and invert the matrix a' : 



+7 


-1 , 


-2 


+4 


+4 , 


-8 


-9 


-1 , 


+14 



To transmit the 6 bit message x=(l,2,3)a user computes the ciphertext 
S = ( 1 . 50628 ) + ( 2 . 59907 ) + (3 . 3560 ) 
= 181122 

= 50660 mod 65231 . 

Using the secret W ^ the receiver computes 

S' = 50660 . 2618 mod 65231 
= 13257 mod 65231 

and using the secret p is able to transform into modular form : 

S' = ( 11 , 14 , 13 ) < — »■ 13257 . 

From equation 8, the receiver computes : 



16 . x = ( 11 , 14 


13 ) 


+7 


-1 


-2 






+4 


+4 


-8 : 






-9 


-1 


+i4: 



giving x = (1,2,3) as transmitted. 
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Practical Constraints 



We now choose the values for n, r, g, and h needed to give a secure practical 
cryptosystem. 

In order to present a large knapsack problem we set 

n . g > 256 . eqn. 9. 

The value of n is influenced by the fact that the general knapsack problem 
is not as secure as the binary knapsack because the least significant bits of 
the message are not as well hidden. We have reduced the problem by performing 
the reduction mod p , but we must still set a limit, say 

n > 5 . eqn. 10. 

In order to protect the trapdoor and ensure that the published p is not 
factored we set 

h > 255 eqn. 11. 

so that the primes are at least 256 bit numbers. 

To ensure sufficient randomness in 'the knapsack components we need to bound 

the number of valid matrices a' , which we call K. If we assume that any number 

1 < aj! < 2 can be chosen to be a knapsack component then the number of 

nr 

different column vectors that can be chosen is 2 , and thus 

2 

K = 2 n r . 

However, because of the restriction on the sum of the column vectors imposed 
by equation 6, not all of these matrices are acceptable. Let us develop a 
conservative lower bound on K by employing an averaging argument. Assume that 
all knapsack components are chosen so that 

1< a! < 2 r . 

n 

This guarantees that all the resulting matrices will satisfy equation 6. 
The number of valid column vectors that can be chosen in this way is 



2 nr 



2 

2 . ,n 

Which gives K > 2 . i . eqn. 12. 

To ensure sufficient randomness in the choice of knapsack components we 
128 

require say K > 2 . Taking logs of equation 12 we get : 

2 

n (r - log 2 n ) > 128 . eqn. 13. 
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The value of r is influenced by several factors. If r is small then the 
knapsack comppnents will have a small remainder when divided by a factor 
of p (Goethals and Couvreur 1980, ref. 9.) This has been allowed for by the 
disguising modular multiplication (eqn. 3); but r must be large enough to 
ensure that no knapsack component has the same remainder modulo any prime 
factor. A loose lower bound falls out from equation 13. That is, 

r >log 2 n 

but, if r is much less than n , then the choice of knapsack components is 
severefy reduced by equation 6. Thus we set 

r > n . eqn. 14. 

The density of the cryptosystem is given by : 

n - g 
-ThTTT 

if we assume the primes are all exactly h+1 bit numbers. Now, in order to 
minimise the redundancy of the scheme and to increase the resistance to 
low-density attacks, h should be as small as possible. Thus we set eqn. 7 to: 

h = r + g 

so that D = I - 

g + r + 1 

Thus to maximise D, we must keep r small. From equation 14 we should set r = n, 
and if we then set n = r = 7, we satisfy both equation 13 and equation 10. 

The size of the public key is given by : 

PK = n.(n + l).(h + 1) , 
and in order to keep this small we must keep h small. So let us set eqn. 11 to 

h = 255 

which gives g = 255 - 7 = 248 . 

The size of the basic message block is then : 

n . g = 1736 bits , 
which certainly satisfies eqn. 9. 

The final system parameters are then : n = r = 7, g = 248, h = 255 which 
gives D = 0.97 and PK = 14336 bits. 

Conclusions 



In this paper we have presented a new public key cryptosystem based on the 
general modular knapsack problem. Its security is not based on disguising 
a superincreasing sequence, but on the difficulty of factoring a number 
with seven 256 bit prime factors, and on a knapsack problem with a typical 
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density of 0.97 and a block size of 1736. The knapsack nature of the system 
ensures that fast encryption and decryption are possible when compared with 
the RSA public-key-cryptosystem. In addition, the size of the public key 
which is typically 14Kbits is not excessive. It may be possible to attack 
the trapdoor information more directly, but we can see no productive method 
of doing this. The only successful attacks on dense trapdoor-knapsacks to date 
have been on the security of the superincreasing sequence. Our method does not 
require this. However, it may turn out that all injective trapdoor knapsacks 
are solvable in polynomial time, in which case all such schemes are useless 
for cryptography. 
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I. Review of the RSA Cryptosystem 

The "RSA cryptosystem" [RSA78] was the first published solution to the problem of im- 
plementing a public-key cryptosystem -[DH76] - a concept invented by Dime and Hellman. It 
remains today as the preeminent proposal for practical use. In this paper we review some of the 
considerations involved in implementing the RSA cryptosystem with special-purpose VLSI chips. 

We begin by reviewing the RSA cryptosystem itself. The reader who wishes a more detailed 
review of public-key cryptography might consult [De82], [DH76]', [DH79], or [RSA78]. 

A user A of the RSA cryptosystem creates his keys as follows: 

• He first chooses at random two large (e.g. 100 decimal digit) prime numbers p and q. 

• He then multiplies them together to get his public modulus n = p • q. 

• He then chooses at random a large integer d which has no divisors in common with either 
p — 1 or q — 1. 

• He then computes e as the multiplicative inverse of d, modulo (p — 1) • [q — 1). 

• He publishes as his secret key the pair (e,n), and keeps as his secret key the pair (d, n). (He 
may also wish to keep as part of his secret key the primes p and q.) 

Anyone else can then encrypt a message M for A using A's public key, resulting in ciphertext 
C, using the equation: 

C = M"(modn). 
Similarly, A can decrypt the ciphertext C using the equation: 

M = C d (mod n). 

As an example, if we choose p = 47 and q = 59, we have n = 2773. If we then choose 
d = 157 we can compute e = 17 using the technique given in [RSA78]. The public key is then 
(e,n) = (17,2773) and the secret key is (d,n) = (157,2773). The message M = 31 can be 
encrypted using the public key to obtain the ciphertext C = 31 17 = 587 (mod 2773); decrypting 
yields the original message back: 31 = 587 157 = 31 (mod 2773). 

II. Security of the RSA Cryptosystem 

The security of the RSA cryptosystem depends on the difficulty for the enemy of factoring 
the published modulus n. If the enemy can factor the number n, he can compute the secret key 
(d, n) and read all of A's private mail (or forge A's digital signatures). 

The security of the RSA cryptosystem is not known to be equivalent to the problem of 
factoring; it may be possible to break the RSA cryptosystem without factoring n. However, 
the most efficient attacks found to date are all provably equivalent to factoring. One can prove 
that computing the secret key is equivalent to factoring, and some variations on the basic RSA 
scheme are provably equivalent to factoring for some attacks (see [Ra79, Wi80]). 

One interesting result, due to Andy Yao, is that the RSA system is "uniformly secure" 
in the sense that there can be no largo sets of "weak messages": if an enemy can decrypt a 
significant fraction of messages encrypted with the RSA cryptosystem, then he could effectively 
decrypt all messages. Putting it another way, if the RSA cryptosystem offers security for the 
encrypted messages, then it offers uniformly high security for all messages. This follows from the 
multiplicative nature of the RSA scheme. 
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Even stronger results along this line have been proven by a number researchers (see [ACGS84] 
and its extensive list of references). The essence of these results is that if the RSA cryptosystem 
is secure, then the enemy will not even be able to get various kinds of partial information about 
the message from the ciphertext. (If he could, he would be able to get the whole message.) 
HA. How Hard is Factoring? 

The best available algorithms for factoring large composite integers have a running time which 
is proportional to: 

eV An(n).ln(ln(n))_ 

for factoring a fc-bit number n. A very crude approximation to this, in the range we are interested 
in, is: 

s-io 9 ^^. 

In the range of interest, the difficulty of factoring seems to grow roughly one order of magnitude 
more difficult with each extra 50 bits (15 decimal digits) of modulus. 

At the moment, using available supercomputers, numbers with 71 digits can be factored in a 
reasonable length of time. Numbers with up to 100 decimal digits are plausibly factorable in the 
future using the best available algorithms and special-purpose hardware. 

If we take as a bench-mark data point that a 75-digit number can be factored in about one 
day with today's technology, and using the above formulas, we can derive the following table: 

75 digits - 9 • 10 12 operations - 1 day 

100 digits - 2 • 10 15 operations - 255 days 

125 digits - 3 • 10 17 operations - 103 years 

150 digits - 3 • 10 lQ operations - 9,755 years 

175 digits - 2 ■ 10 21 operations - 70 thousand years 

200 digits - 1 • 10 23 operations - 36 million years 

225 digits - 5 • 10 24 operations - 1 billion years 

250 digits - 2 ■ 10 26 operations - 60 billion years 

300 digits - 1 • 10 29 operations - 5 - 10 13 years 

In our original paper [RSA78] we proposed that 200 decimal digits (around 664 bits) would be 
a reasonable modulus size; we still feel that this is a reasonable choice. 

PI. Implementation Basics and the Need for Special-Purpose VLSI 

HLA. Implementation Basics 

Multiplication of two fc-bit integers takes time: 

• 0{k~) on a microcomputer using a standard algorithm, 

• O(k) with special- purpose serial/parallel multiplication hardware (O(k) gates), 

• O(logfc) with special-purpose parallel-parallel multiplication hardware (0(k 2 ) gates). 
Using today's technology, the serial-parallel approach seems the best trade-off point. 
Modular multiplication of two fc-bit integers modulo a third fc-bit integer takes time: 

• 0(k 2 ) on a microcomputer using standard algorithms, 

• O(fc) with special-purpose hardware (O(fc) gates), 

• 0((Iog fc) l + E ) with special-purpose hardware [0(k 2 ) gates). 

Again, with today's technology, the 0(fc)-timc, 0(fc)-hardware approach seems best. 
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Modular exponentiation is an interesting computational problem in that it seems intrinsically 
"sequential": using extra hardware or extra parallelism doesn't seem to help beyond the amount 
it helps to speed up the underlying modular multiplications. To raise a fc-bit number to a fc-bit 
power modulo a fc-bit modulus thus seems to require O(k) multiplications. We have the available 
time/hardware tradeoff choices: 

• 0(fc 3 ) time on a microcomputer (e.g. 2 minutes for 200 digits), 

• 0(k 2 ) time using O(fc) gates (e.g. 0.5 seconds for 200 digits), 

• 0(k ■ log A:) using 0(fc 2 ) gates (e.g. 7 milliseconds for 200 digits). 
The corresponding data rates would then be 

• 5 bits/second on a microcomputer, 

• 1330 bits/second with O(k) gates, and 

• 95K bits/second with 0(fc 2 ) gates. 

Key generation has two parts: Ending large primes and computing e from d. The first part 
is the most expensive; it requires approximately 0[k) primality tests to locate a fc-bit prime, and 
each primality test requires one modular exponentiation. We thus have that the expected time to 
find two large prime numbers is: 

• 0(k A ) on a microcomputer (e.g. 20 minutes for 100-digit primes), 

• Offc 3 ) using O(k) gates (e.g. 5 seconds for 100-digit primes), 

» 0(k 2 log k) using 0[k 2 ) gates (e.g. 70 milliseconds for 100-digit primes). 

We note that so-called "strong" primes axe not intrinsically more- difficult to find that random 
primes. (See the paper by J. Gordon in this proceedings.) 

The second step of generating an RSA key-set, finding e from d, is not harder than modular 
exponentiation, since we have the relation: 

e = d <H<t>(.*))-i ( mo dn). 

Another approach, using the extended Euclidean algorithm for finding greatest common 
divisors, can also be used (see [RSA78] for details). The algorithm chosen here doesn't matter 
much since the bulk of work for key-generation will be in finding the large prime numbers. 
m. B. Implementation ideas for speed. 

The following ideas may help speed up an implementation, over and above the basic approach 
outlined above. 

A fast clock rate may of course be very helpful. 

Using a short encryption exponent (e.g. e = 3, as suggested by Knuth [Kn81, p. 386]) gives 
a 300-fold or so improvement in the speed of encryption and signature verifications (operations 
which use the public key), but does not help with decryption or signing (operations which use the 
secret key). This trick can not be used on d as well, since the length of e plus the the length of 
d should be approximately the length of n. Furthermore, if d is short it could be guessed, so a 
short d provides little security. 

Using the Chinese Remainder Theorem - working modulo p and modulo 17 separately - can 
help speed up decryption and signing by a factor of 4 on a microcomputer and a factor of 2 to 4 
using, 0{k) hardware. 
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There are two basically diUerent exponentiation algorithms one may use: the left-to-right 
algorithm and the right-to-left algorithm. These algorithms examine the bits of the exponent in 
different orders. Suppose the exponent e has a binary representation of efc_i.ejt_2. . .eieo- Then 
the algorithms for computing a ciphertext C from a message M both begin by setting C to 1, 
and then proceed as follows: 

• The Left-to-Right Algorithm: for i from k — 1 down to 0, this algorithm first sets C to C 2 
(mod n) and then, if e,- = 1, sets C to C ■ M (mod n). 

• The Right-to- Left Algorithm: for i from 0 up to k — 1, this algorithm first sets C to C • M 
(mod n) if e< = 1, and then (in any case) sets M to M 2 (mod n). 

If the left-to-right algorithm is used, then the number of modular multiplications required in 
the worst case can be reduced from 2 • k to k + (f) by precomputing a table of M 1 , ■ ■ ., M 2 -1 
(i.e. by modifying the left-to-right algorithm to consider the exponent e in radix 2* instead of 
radix 2). 

If the right-to-left algorithm is used, then by using twice as much hardware one can obtain a 
two-fold speed-up, since each squaring modular multiplication can be performed in parallel with 
the "accumulation" modular multiplication. 

We note that the above two optimization techniques are incompatible, since they require 
different underlying exponentiation algorithms. 

An elegant approach for speeding up the computation is to perform modular multiplication 
directly, rather than first performing an integer multiplication and then reducing the result modulo 
n as a separate step. This can yield a six-fold (approximately) speed-up, since the modular 
multiplication of two fc-bit numbers can now be performed in approximately k clock cycles instead 
of approximately 6 • k. (see [Br82]). 

IV. Overview of Existing/Planned Chips 

In this section we review briefly six designs for RSA chips. These reviews are brief, and only 
itended to give the reader a feel for the kinds of chips possible with today's technology. For more 
details the reader should consult the references. Also, there are other chips in the design stage 
for which no references exist; these chips are not listed here. 

IV.A. The "fir 3 t" RSA chip 

This chip was designed by Rivest, Shamir, and Adleman, and is described in [Ri80]. 

It was a single-chip nMOS design; using 4-micron design rules, the chip occupied 42 mm 2 . It 
contained a 512-bit ALU in bit-slice design with eight 512-bit registers for storage of intermediate 
results, carry-save adder logic, and up-down shifter logic. The 224-word microcode ROM con- 
tained control routines for encryption, decryption, finding large primes, gcd, etc. It used a 5V 
supply, and drew approximately 1 watt of power. It contained approximately 40,000 transistors. 
It communicated with a host microprocessor using an 8-bit I/O port. The encryption rate was 
designed to be slightly in excess of 1200 bits/second. Due to an as yet undiagnosed error in the 
memory cell design, this chip never worked reliably. 

rV.B. The NEC/Miyaguchi Design 

This chip design was described in [Mi82]; I do not know if it was ever fabricated. 

The design was for a cascadable chip set, with each chip having a 2-bit slice. (So 333 chips 
would be needed for a 200 decimal digit modulus.) Each chip would contain a 2 by 8 multiplier; 
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multiplication would be done byte-wise (8 by n). An encryption rate of 50,000 bits/second 
was claimed possible for a 512-bit modulus using this design, or 29,000 bits/second using a 200 
decimal-digit modulus. 

rV.C. The First Sandia Design 

This chip, described in [RSWB82], used a two-chip set to work with numbers up to 336 bits 
in length. Each of the two chips is identical and could perform a modular multiplication of 
336-bit numbers. Using the right-to-left exponentiation algorithm, one chip repeatedly squared 
the message while the other chip accumulated the product of the desired powers. 

The chip was fabricated using 3-micron CMOS technology; the total area of the chip is 41 
mm 2 . With a 20Mhz clock rate the chip can encrypt one block in 0.8 second - a rate of 420 
bits/second. The chip works correctly. 

IV. D. The Second Sandia Design 

This design is still in progress. The mathematics involved are described in [Br82]; the chip 
performs modular multiplications directly. 

The chip will be cascadable; the first chips made are likely to be a 128-bit slice of the set. 
(For 512-bit moduli, four chips would be needed.) 

rV.E. The "RSA Security" Design 

RSA Security, Inc., a new start-up in the data- encryption area, is designing an RSA chip for 
commercial use [RSA84]. Currently in the design stage, the chip should be available in sample 
quantities in mid-1985. 

Using 3-micron CMOS design rules, the chip should be approximately 47 mm 2 in size. 

It will be able to handle numbers up to 200 decimal digits (664 bits) in length, and should be 
able to do one encryption in under 65 milliseconds (i.e. the data rate should be in excess of 9600 
bits/second for a full-size modulus). 

V. The Future... 

It is interesting to observe that seven years ago, when the RSA cryptosystem was invented, 
the task of implementing the RSA scheme in a reasonably secure manner was quite expensive. 
(For example, we built a $3000 TTL implementation that could only handle numbers slightly 
over 300 bits in length.) Today, a very secure implementation (664 bits) fits nicely on one chip. 
Seven years from now we may move from a 3-micron technology to a s'ubmicron (say 0.3 micron) 
technology, giving a 100-fold reduction in area. In this case the same RSA implementation will 
take only 1% of a typical chip. The steady progess of technology will clearly make cryptography 
so cost-effective that no information system that handles data that is at all sensitive or that needs 
to be authenticated can afford to do without it. 
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The quadratic sieve algorithm is currently the method of choice to factor very 
large composite numbers with no small factors. In the hands of the Sandia National 
Laboratories team of James Davis and Diane Holdridge, it has held the record for the 
largest hard number factored since mid-1983- As of this writing, the largest number 
it has cracked is the 71 digit number (10 71 -1) /9, taking 9.5 hours on the Cray 
XMP computer at Los Alamos, New Mexico. In this paper I shall give some of the 
history of this algorithm and also describe some of the improvements that have been 
suggested for it. 

KRAITCHIK'S SCHEME 

There is a large class of factoring algorithms that share a common strategy. 
If N is the number to be factored, then the idea is to multiply congruences 
U = V mod N, where U and complete or partial factorizations (depending on the 
algorithm) have been obtained for U and V, so as to produce a special congruence 
X 2 = Y 2 mod N. Then one stands a good chance that the greatest common factor 
(X-Y, N), found by Euclid's algorithm, is a non-trivial factor of H. If it is not, 
then another combination of congruences can be tried. Thus these algorithms have 
several parts : 

(1) Generation of the congruences U iV mod N, 

(2) Determination of the complete or partial factorizations of U and V for 
some of the congruences , 

(3) Determination of a subset of the factored congruences which can be 
multiplied to produce a special congruence X 2 = Y 2 mod N, 

(10 Computation of (X-Y, N) . 
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For example, say we try to factor N =91 and we notice that 
81 =-10, 90 =-1 , 75 =-16, and 6k =-27. 
Factoring these numbers completely we have 

3 k 5-2-5, 2-3 2 -5 =-1 , 3-5 2 =-2t and 2 6 =-3 3 . 

Multiplying the last two congruences , we have 

2 6. 3 . 5 2 = 2 %. 3 3 f 

or cancelling common factors, 

2 2 -5 2 = 3 2 . 

This gives 10 2 S3 2 mod 91 and 7 =( 10-3,91). Or we might have multiplied the first 
two congruences, getting 

2-3 6 '5 =2-5 — >3 6 =1 , 

so 27 2 =1 2 mod91 and 13 = (27-1 ,91 ) . 

This general scheme for factoring was published by Kraitchik CO in 1926. The 
numbers U,V are factored into primes except for squared factors. Since most of 
the congruences one is likely to generate will not successfully factor in step . (2), 
one's chances are enhanced if one of U,V is arranged to be a square and the other 
has a large square factor. In [5], pp. 26-27, Kraitchik explains how this should be 
done. He lets U =x 2 where x is carefully chosen so that V =-N+x 2 has a large 
factor y 2 . He can force y 2 to appear by choosing x as a solution of the quadra- 
tic congruence x 2 =Nmod y 2 . However, V/y 2 need not be small and so easily facto- 
rable. This method has its problems. 

Kraitchik opportunistically used other congruences U =Vmod N that were 
suggested by the special form of N in question . These congruences would not be 
available for a "random" N. In his later work [5], the congruences U =Vmod N 
were used to assist in finding X and X with X 2 -Y 2 =N. This is an old factoring 
strategy that goes back to Fermat. I think Kraitchik preferred this method for two 
reasons. First, fewer congruences D ;V mod N with multiplicative information about 
U and V are used. Second, when X,Y are found with X 2 -Y 2 =N, one could be assured 
of a non-trivial factorization of K, unlike with the other method where step (h) 
may produce a trivial factorization. Little did Kraitchik know that his largely 
abandoned method of producing "cycles" (the combination of congruences in step (3)) 
would be the basis of most modern factoring algorithms ! 
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THE CONTINUED FRACTION ALGORITHM 

Instead of finding U ;V mod N with one of U,V a square and the other divi- 
sible by a large square factor, another strategy might he to choose one a square 
and the other small in absolute value. It thus would more likely factor in step (2). 
In 1931 1 Lehmer and Powers [6] suggested the use of the continued fraction expansion 
of /N to generate the congruences U = V mod N in Kraitchik's scheme. This is 
done by a simple recursive procedure that creates pairs Q^, A q where 

( 1 } Q = A 2 mod N 

n n 

and |Q | <2/N. An old method of Legendre also suggested the use of the continued 
fraction expansion of /if, but his aim was to use the congruences (1) to find infor- 
mation on the quadratic character mod of prime factors p of N. Then a direct 
search, such as trial division, could be greatly speeded up because many potential 
divisors would not have the proper character. In contrast, Lehmer and Powers advo- 
cated multiplying several congruences of the form (1) to produce congruent squares. 

Morrison and Brillhart [10] were the first to try the continued fraction algo- 
rithm on a modern computer. In the implementation they made several major improve- 
ments and refinements that would be of use in any of the combination of congruences 
family of algorithms. First, they used a "factor base", or all of the primes to some 
point F, to dermine which of the congruences (1) were useful. When a congruence (1) 
was generated, the number was subjected to trial division by the primes p SF. 

If a complete factorization could be obtained, the congruence was kept for later use 
-if not, it was discarded. 

Step (3) of the algorithm, the actual combination of congruences was effected 
by a Gaussian elimination in a very large matrix over Z/2Z. Specifically, if the 
factor base consists of the primes p^ , . . . ,p.j., and if 

a f a. 
Q = (-1) 0 n p. X 
i=1 1 

where the are non-negative integers, then we look at the vector 

v(n) = (a ,a 1 ,...,a f ) mod 2. 

If we have enough vectors v(n), then Gaussian elimination will produce a linear 
dependency 

v(n 1 ) +. . .+ v(n k ) = 0, 

so that Q ... Q is a square, say X 2 . If we compute X mod N and 
1 ~i 

Y =A^ A n mod 11 * then X 2 sy2 mod N and we are ready for step (4). 
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Another improvement, called the "early abort strategy" was described in [11]. 
This improvement extended the useful range of the continued fraction algorithm on 
an ordinary main frame computer by about 10 digits -from the mid kO's to the mid 
50's (see Ltkl, [12]). 

A special purpose, low cost processor has been designed by J.W. Smith and 
S.S. Wagstaff, Jr. and built at the University of Georgia to implement the continued 
fraction algorithm with the early abort strategy. It is designed to do the trial 
division step on a in parallel (several trial divisors can be tried at once) 

and the device has extended precision, so that this arithmetic done with long in- 
tegers can be done in single precision. It should be fully operational soon and we 
await their results. It will probably be somewhat inferior to the results produced 
by the Sandia team, butthis should be weighed by the fact that the cost of the Smith- 
Wagstaff device is about three orders of magnitude less than the cost of a Cray 
XMP, 

THE MILLER -WESTERN ALGORITHM 

The issue of Mathematics of Computation which contains the Morrison-Brillhart 
paper is dedicated to D.H. Lehmer and has many interesting articles on computational 
number theory. In this issue there is an article by J. CP. Miller [?] on factoring 
that also uses congruences U sv mod N. He attributes the idea to A.E. Western. The 
aim is to find congruences with U and V completely factored. But rather than 
combine these congruences to produce congruent squares, each congruence is read as 
a linear relation of indices with respect to some primitive root g of p, where 
p is a prime factor of N. When enough congruences can be found there is a chance 
of finding p via created congruences of the form a* =1 mod N. If some q|t can 
be found with a*^ ^1 mod H, then perhaps (a t/,q -1, N) is a non-trivial factor of 
N. 

I see no particular advantage to this method over just combining the factored 
congruences to produce congruent squares in the Kraitchik scheme. I mention the 
algorithm here because of the very simple way Miller chooses the congruences 
U = V mod N. Namely he just partitions N as A+B, letting U =A, V =-B. There is 
an interesting unsolved problem of Erdos that says that for each e >0 there is an 
N q (e) such that for each integer N >N q (e) there is a partition of N as A+B 
where no prime in AB exceeds N e . What we need is an algorithmic solution of 
Erdos' s problem that gives many such pairs A,B. Perhaps this problem (and factoring 
itself) is not so hard ! 
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SCHROEPPEL'S ASYMPTOTIC ANALYSIS 

In the late 19T0's some important advances on factoring were made by Richard 
Schroeppel. He never published his results, but they have become known through copies 
of his letters and through second hand published accounts (e.g. [8], [11]). First, 
Schroeppel began the systematic study of the asymptotic running time of factoriza- 
tion algorithms in the Kraitchik family. Second, he found an algorithm in the family 
where step (2) could be accomplished without time consuming trial division. 

Schroeppel 's asymptotic analysis hinged on the optimal choice of the parameter 
F, the upper bound for the primes in the factor base. A small choice of F means 
only few factored congruences are necessary to produce a linear dependency, but such 
congruences are very hard to find. With a large choice of F the situation is re- 
versed. Somewhere between "large" and "small" is the optimal choice. Schroeppel 
realized that to study this situation asymptotically one needed to use the function 
<l>(x,y) -the number of integers up to x divisible by no prime exceeding y. Speci- 
fically this was needed with x being the average size of the residues being trial 
divided and y =F. Thus tKx,y)/x represents the "probability" that a residue will 
completely factor over the factor base. 

For example, suppose we study the continued fraction algorithm. Then the ty- 
pical Q Q will be approximately /$. Further, if f is the number of primes in the 
factor base, then we should have f °F/2 logF (only those odd primes p with 
(N/p) =1 can divide a Qjj)- We need to obtain about f completely factored Qjj's- 
Thus we should expect to have to generate 

f (*(/N,F)/v1f)" 1 = r/i7ifj(/H,F) 

values of before enough factored ones are found. More, we need to do about f 

trial divisions on the average produced, so the total number of trial division 

steps needed to factor N with the continued fraction algorithm should be about 

f 2 v¥/i|i(/N",F) . 

Ignoring other steps in the algorithm, we thus choose F so as to minimize this 
quantity. Schroeppel assumed that 

^(x,x 1/u )/x = u _(1+o(1))u for (log x) £ <u<(log x) 1_£ 

(a result which was subsequently proved in [1]) and found that the optimal choice 
of F is L(H) 1//8Vo(1) where 



L(N) = exp(Aog N log log N) 

(natural logs) and that the expected running time is L(N)'^" +0 ^ 1 ' . Of course, this 
argument is only heuristic -for one, it is assumed without proof that the numbers 
Q factor over the primes to F as frequently as random numbers of the same 
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approximate size. 

SCHEOEPPEL'S LINEAR SIEVE 

Schroeppel's nev algorithm with by-passed trial division is also in Kraitchik's 
family. Let 

S(A,B) = (L/Sj+A)(L> / Nj+B) -N 

(2) 

T(A,B) = (L/tfj+A)(L^J+B). 

If |A|, |B| are less than N e , then |S(A,B) I &2N^ 2+e so that the S(A,B) are 
relatively small, not much larger than the Qjj's given by (1). More, we evidently 
have 

S(A,B) = T(A,B) mod N 

so that we use these as the congruences in Kraitchik's scheme. We attempt to comple- 
tely factor the S(A,B)'s over a factor base, but we do not try to factor the 
T(A,B)'s. Note that (2) already gives a partial factorization of T(A,B) . We could 
thus arrange for a product of T(A,B)'s to be a square if each A and each B is 
used an even number of times in the product. Thus we treat the variables A,B as if 
they were primes in the Gaussian elimination step. 

Thus the Gaussian elimination step is harder and the residues S(A,B) are a 
bit larger than in the continued fraction algorithm. There is an advantage here, 
though, and it is that the numbers s(A,B) can be factored without trial division. 

The idea is that for a fixed value A for A we can let B run over consecutive 

o 

integers. These numbers form an arithmetic progression, so that if p|S(A o> B o ), then 
piS(A Q ,B o +p) , p| S(A Q ,B Q +2p) , etc. That is, we know beforehand exactly which values 
of B have S(A Q ,B) divisible by p. No more do we need to waste a trial division 
step on a number where the trial divisor does not go. 

Schroeppel's asymptotic analysis suggested the running time of his algorithm 
was L(N)^ +0 ^^. However, his analysis neglected the time for the Gaussian elimina- 
tion. This is not a mistake in the continued fraction algorithm analysis because it 
really takes less time than the trial division step. But in Schroeppel's algorithm 
we have given the Gaussian elimination a larger task to accomplish and it can be 
shown (heuristically 5 that it takes L(N)^ //2+0 ^ 1 ' steps, worse than the running 
time of the continued fraction algorithm. 

THE QUADRATIC SIEVE 

In 1981 I suggested taking A =B in Schroeppel's linear sieve algorithm, 
calling the resulting method the quadratic sieve algorithm. This simple move changes 
things drastically. Let 

(3) Q(A) = S(A,A) = (L/NJ+A)2 -H. 
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Thus we are back in the game of producing quadratic residues as in the continued 
fraction algorithm, so the Gaussian elimination step should not be a major diffi- 
culty. In addition, we can still sieve as Schroeppel did. If p|Q(A Q ), then 
plQ(A Q +p), p|Q(A Q +2p), etc. This property of the function Q(A) follows from the 
fact that it is a polynomial wit h in teger coefficients. Heuristically, the running 
time for the algorithm is L(lJ) ^ + o(l)^ i nc ]_ u ai n g the matrix step, an improvement 
over the continued fraction algorithm. This analysis and a description of the algo- 
rithm is found in [11]. 

The idea in (3) is to choose A with |A| <N e . Since for small A we have 

Q(A) « 2A/N, 

We thus have |Q(A)| &2N 1//2+£ , as with Schroeppel. It is amusing to note that the 
method (3) of choosing quadratic residues mod N is very similar to that of 
Kraitchik discussed above. There is a difference though. Kraitchik carefully prepa- 
red values of x so that x 2 -N had a large square factor. In (3) we indiscrimina- 
tely choose all values of x near /s. 

The advantage is clear, because now we can use a sieve. For each odd prime p 
in the factor base (p is in the factor base if (N/p) =1) we solve the quadratic 
congruence 

(L/^j+A) 2 = N mod p, 

labelling the solutions A^ , A^ (for p=2, special treatment is required). We 
then compute very crude logs of each of the Q(A) for A in a long interval (these 
logs are all approximately equal). These logs are stored in an array indexed by the 
values of A. We then pull out each log that has its index A = or mod p 

and subtract log p from the number in the location. (Again, log p is a low preci- 
sion log). This is done for each p in the factor base and for some of the higher 
powers of the smaller primes p. At the end, we scan the array for residual logs 
that are close to 0. These locations correspond to values of Q(A) that completely 
factored. The number Q(A) may now be computed and factored by trial division. Of 
course, very few numbers Q(A) completely factor, so the amount of trial division 
in the algorithm is negligible. Note that not only does the quadratic sieve algo- 
rithm have asymptotically fewer steps than the continued fraction algorithm, but 
each step is simpler. In the quadratic sieve a typical step is a single precision 
subtraction , while in the continued fraction algorithm a typical step is a divide 

with remainder of a single precision integer into a long dividend. 

Asymptotically, the algorithm of Schnorr and Lenstra [13] (which is not in the 
Kraitchik family) should be faster than the quadratic sieve : its heuristic run time 
is L(N) 0 . However it has not yet proved computer practical and the crossover 
point may be very large. A typical step in the Schnorr -Lenstra algorithm is compo- 
sition of binary quadratic forms with multi-precision entries and finding a reduced 
form in the class. 
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THE DAVIS VARIATION 

Davis and Holdridge [2] have written a very clear article on the implementa- 
tion of the quadratic sieve algorithm and there is no need to duplicate their work 
here. But I would like to mention an important .improvement Davis made oh the method. 
It seems clear that the quadratic sieve algorithm majorizes the continued fraction 
algorithm in every respect "but in the size of the quadratic residues. Namely, in the 

latter method, each IQI is less than 2v / N but in the former, the numbers |Q(A)| 
1 /2+e 

are about N (where e >0 is small and tends to 0 slowly as N —>=•). Of 

course, the larger the residue, the less likely it is to factor over the factor base. 

The Davis variation is simply to sieve over various arithmetic progressions of 

A's so that the Q(A)'s are guaranteed to have a fixed factor. Specifically, if p 

is some large prime not in the factor base and p|Q(A Q ) where 0 <A q <p, then p 

divides every Q(A +Ap) as noted before. Let 
o 

Q (A) = Q(A +Ap). 

P ° 

Then 

Q p (A)/p x 2A/N, 

so that after the known factor p is divided out of Qp( A )> tne cofactor is about 
the same size as Q(A). Thus instead of having just one polynomial to work with, we 
have a large family of polynomials -one (in fact, two) for each possible p. For 
each p used we consider p as a new prime in the factor base. Thus if k facto- 
red values of Q p (A) are found, after eliminating p we have k-1 vectors left 
over the original factor base. However, Davis avoids losing even one vector. He 
does this by finding a factored Q (A) for "free". This magic is accomplished as 
follows. If in the original polynomial Q(A) a location A 1 is found after sieving 
where the residual log is not near 0, but less than 2 logF, then the cofactor after 
Q(A 1 ) is divided by all primes in the factor base is a prime p with F <p <F 2 . We 

thus use this p to form Q (A) (and we can choose A 5A, mod p). We start with 

p o 1 

one factored value before sieving the new polynomial, so any new factored values 
found are all to the good. 

TH2 MONTGOMERY VARIATION 

Independently of Davis, Peter Montgomery [9] has come up with another strategy 
for fighting the drift to infinity of the quadratic residues Q(A) . His method 
tailor makes polynomials to custom fit not only the number N to be factored, but 
the length of the interval we sieve over before we change polynomials. 
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Suppose we sieve over intervals of length 2M before we change polynomials. 
We are looking for polynomials 

F(x) = ax 2 +2bx+c where N|b 2 -ac, 

for then 

(U) aF(x) = a 2 X 2 +2abx+ac = (ax+b) 2 - (b 2 -ac) 

= (ax+b) 2 mod N. 

Further, we would like the values of F(x) to be small in absolute value on an 
interval of length 2M. It thus seems reasonable to center this interval on the 
vertex of the parabola F(x) -so we specify the interval as 

I = (-b/a-M, -b/a+M) 

and choose a,b,c so that 

-F(-b/a) s F(-b/a-M) = F(-b/a+M). 

To be specific, we choose a,b,c so that 

(5) b 2 -ac = N . 
Then from (U), 

-aF(-b/a) = N, aF(-b/a-M) = aF(-b/a+M) = a 2 M 2 -N. 
Thus we should choose a so that N »a 2 M 2 -N, i.e., 

(6) a » /2N/M. 

Montgomery suggests then that we decide first on 2M, the length of the interval 
sieved. Next an integer a is chosen satisfying (6) and then integers b and c 
are found satisfying (5). (For example, we could choose a as a prime satisfying 
(N/a) =1. Then the quadratic congruence b 2 =N mod a is solved for b and c is 
chosen as (b 2 -N)/a). 

We thus have constructed a quadratic polynomial F(x) so that on the interval 

I 

|F(x) I S. — Mi/N. 
~ /2 

This is better than the polynomials Q(A) and Q^(A)/p. For them on the interval 
( -M ,M ) their absolute values are bounded by 2M/¥. Thus the largest of Montgomery's 
residues are about 2/2 times smaller and so somewhat more likely to factor over 
the factor base. 

Here is an idea which should improve Montgomery's basic plan. If k 51 values 
of F(x) are found which factor over the factor base, we only end up with k-1 
vectors because the factor a must be eliminated from the congruences {k) . This 
could be serious if the expected value of k were much smaller than 1 , for then in 
the rare instances we had k >0, it would be likely that k =1 and nothing would 
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be gained. To solve this problem, we choose a =g 2 where g is a prime with 
(N/g) =1 and g ~vV2H/M. Then everything is as "before, hut we do not have to elimi- 
nate a from (U) because it is a square. All factored values of F(x) are now to 
the good. 

The quadratic congruence 

(?) b 2 = N mod g 2 

can be solved very simply if g = 3 mod h and (N/g) =1. Just take 

b = N ( 8 2 -S +2)/U mod § 2 . 

This involves arithmetic mod g 2 . Instead, by first solving (7) mod g by taking 
b 1 =N^ g+1 ^Snod g and next determine x so that (b^+xg) 2 = N mod g 2 , all of the 
arithmetic can be done mod g. (This idea was suggested by Wagstaff -it is an elemen- 
tary application of Hensel's lemma). 

Above we chose a satisfying (6) to minimize the maximum value of |F(x)| on 
I. Instead, it may be more appropriate to minimize the average value of |F(x)| . 
For this we should choose 

a w (1. 5127>+53)/n7m. 

However, it probably makes very little difference whether we choose a by this 
scheme or by (6) . 

In the implementation of Montgomery's variation (which has not yet been done) 
one should compute how costly it is to produce new polynomials F(x). If it is very 
costly, a larger value should be chosen for M ; if it is not so costly, a smaller 
value should be chosen for M. That is, we should sieve over as short an interval 
as possible, where the overhead of producing new polynomials and computing the 
starting points for each prime used in the sieve says it should not be too short. 

LARGE PRIME VARIATION 

In [11] the large prime variation was suggested for the quadratic sieve. This 
variation is commonly used with the continued fraction algorithm. As mentioned 
above, if the residual log after sieving is not close to 0, but less than 2 logF, 
then we have produced a quadratic residue that completely factors over the factor 
base except for one large prime factor p with F <p <F 2 . Not only do we receive 
this information for free, but such residues are simple to process. If the large 
prime p is never seen again in another factored residue, it is useless for us and 
this line may be discarded. If it appears k times, we can eliminate it, being 
left with k-1 vectors over the factor base. The "birthday paradox" suggests that 
the event k 52 will not be that uncommon. 



179 



If this method is used together with the Davis variation, another method 
should he used to produce the polynomials Q p (A). We can instead use (7). Let 
g >F be a prime with g =3 mod k and (N/g) =1. If b is the solution of (T), 
we let A q =b-L/sQ mod g 2 . Then we can use the polynomial 

Q?(A) = Q(A +g 2 A) 

in the Davis variation. (We can also use A^ = -b-LVlUmod g 2 ). 

Every value factored over the factor base is useful and we can use the large prime 
variation on all of the Qg2( A ) for various choices of g 2 . Note that there is less 
overhead with producing the polynomials Q g2 ( A ) than the F(x) in Montgomery's 
variation because g can be chosen smaller with Davis. 

SMALL MODULI 

In trial division it takes just as long to test divisibility by 3 as by 101. 
But sieving by 3 takes 101/3 times longer than 101 since it has more frequent "hits" 
Thus a considerable percentage of sieving time is spent with the very smallest mo- 
duli. This seems a waste since these small moduli contribute the least information. 
One idea is to skip sieving with them completely. Say we do not sieve with any modu- 
lus below 30. Then if 3 is in the factor base, for example, we will not sieve mod 3, 
mod 9, nor mod 27. But we will sieve mod 81, subtracting k log3 (instead of 
log 3) at hits for this modulus. If P is the product of the highest powers of the 
moduli skipped and if P <F, then we lose nothing by this strategy. Indeed, the ma- 
ximal error introduced in skipping the small moduli is at most log P <log F. Thus 
if the' residual log is less than log F the number has factored completely and 
every completely factored number will have a residual log less than log F. 

If this idea proves good, one might "live dangerously" and let P be somewhat 
bigger than F. In fact if we let P be around F 2 and use the large prime varia- 
tion too, the only residues lost will be some of the residues which factored with a 
large prime. Of course, you may prefer not to lose anything . 

USE OF A MULTIPLIER 

The factor base for N in the quadratic sieve algorithm consists of those 
primes p jF with p=2 or (N/p) =1. If we replace N by X N where X is a 
small positive square-free integer (Kraitchik again -see [4], p. 208 and [5], Ch. 2) 
then the factor base changes. The expected contribution to log(x 2 -X N) by the 
power of p in x 2 -X N is 

E p = (2 logp)/(p-1 ) 

if x is a random integer and (x N/p) =1. For p=2 the expected contribution is 
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1 



log 2 , if X N=3 mod k 



log 2 
2 log 2 



if X N=5 mod 
if X N = 1 mod 



If p|X the expected contribution E^ is (log p)/p. Thus we wish to choose the 

value of X so as to maximize the function 

F(X,N) = - 1 log|X| + I E 
p*F p 

where the sum is over those primes p jF with p=2, (X N/p) =1, or pIX. This 
function is very similar to one associated with the continued fraction algorithm 
(see [3], p. 391, Ex. 28 or [12]). 



SPECIAL PURPOSE PROCESSORS 

J.W. Smith, S.S. Wagstaff, Jr., and I have discussed the feasibility of 
building a special purpose processor to implement the quadratic sieve algorithm. We 
are encouraged by the prospects. For a budget of perhaps jt25,0Q0in parts, we believe 
a "quadratic siever" could be built that would rival a Cray in speed. For ten or 
twenty times as much money a machine could be built that could factor 100 digit 
numbers in a month. Perhaps these figures are way off, it is hard to tell unless 
one tries. 

The basic idea of the "quadratic siever" would be to construct a sequence of 
l6x UK units each of which would sieve over an interval of length k096. The largest 
moduli (fastest through the sieve) would be started one after the other through the 
sequence of units. There - would never be interference of moduli because we have let 
the fastest racers start first. 

Another idea is to use many unextraordinary computers each using a different 
batch of polynomials with one central computer which is fed the factored residues. 

With all of these ideas we may begin to approach the 100 digit level in facto- 
ring. But 150 digit numbers should be about 100,000 times harder and it seems clear 
that current methodology is insufficient for factoring such huge numbers. However, 
until someone proves that factoring must be hard, there will always be some doubt 
about the security of R SA. When R SA was introduced 1*0 digit numbers were consi- 
dered hard to factor , while now we are doing TO digit numbers and talking about 
100 digit numbers. As always, the future is hard to predict. 
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Albuquerque, New Mexico 87185 

Introduction 

It is well known that the cryptosecurity of the RSA (Rivest-Shamir- 
Adleman) two key cryptoalgorithm [1] is no better than the composite modulus 
is difficult to factor. Except for one special case, the converse statement 
is still an open and extremely important question. It is not so well known, 
perhaps, that there are several other crypto-like schemes whose performance 
is also bounded by the difficulty of factoring large numbers: the digital 
signature schemes of Ong-Schnorr [2], of Ong-Schnorr-Shamir [3] and of 
Schnorr [4], the oblivious transfer channel of Rabin [5] and the subliminal 
channel of Simmons [6] to name only a few. The point is that the difficulty 
of factoring large integers has become a vital parameter in estimating the 
security achievable in many secure data schemes — and conversely factoring 
techniques are potentially a tool for the cryptanalyst if the cryptographer 
misjudges the difficulty of factoring a composite number on which he bases 
a system. 

The Sandia National Laboratories have already fielded several secure 
data systems that are dependent on the difficulty of factoring for their 
security [7,8,9] and at least as many other applications are approaching 
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realization. As a result, a concerted research effort was initiated in 1982 
in the Mathematics Department at Sandia to define as sharply as possible the 
bounds on the computational feasibility of factoring large numbers, using 
the most powerful computers available — as efficiently as possible — with 
the factoring algorithms being carefully matched to the architecture of the 
machine on which the algorithm was to be run [10]. Our primary objective 
in this paper will be to present an overview of the advances in factoring 
resulting from this research. Later, we shall discuss in detail the mathe- 
matical and coding advances themselves. Suffice it to say that a roughly 
three-order of magnitude improvement in factoring — as measured by the 
time required to factor a particular size number — has been achieved by 
the Sandia researchers over what was possible (and well benchmarked) a 
few years ago. This is a combined effect due in part to a new generation 
of computers with much increased computing power and especially due to 
the unique architecture of the Cray family of machines, in part due to 
substantial advances in factoring algorithms and finally — and equally 
significant — in part attributable to the efficiency with which the algor- 
ithms have been coded for the specific computers. Our secondary objective 
will be to separate out the contributions of these three factors (to fac- 
toring progress) in order to both understand how the improvements of the 
past three years were achieved as well as to project what the state of 
the art in factoring is likely to be 5 to 10 years from now. 

An Overview 

The easiest question to ask concerning integer factoring and the 
hardest to answer, is; "How large a number is it computationally feasible 
to factor using a general purpose factoring routine?" Figure 1 gives one 
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answer showing the record size numbers that were factored as an approximate 
function of the year in which the factorization occurred — over a period 
of roughly a decade- The data in Figure 1 were selected as being the most 
indicative of the state of the art in factoring at the time, either because 
the factorization was generally acknowledged as a major achievement or 
advance or, as in the case of the Cunningham Table Project [11], because 
of the thoroughness with which the benchmark was defined. The reader 
should be aware, however, that these data points are virtually impossible 
to cross-compare. Within the Sandia data alone the times required to fac- 
tor the reported numbers range from 7.2 minutes to 32.3 hours, involve 
three generations of continuously changing computer codes and were run on 
either a Cray IS or a Cray X-MP computer. The other data have even more 
variability. The algorithms were run on widely different machines — some 
in a dedicated computing environment and others in a time sharing mode. 
In some instances, the total time required was reported, in others only 
that time required for the part of the algorithm that was of primary con- 
cern to the research. At this late date, there is no way that these 
results can be "normalized" to make them directly comparable. Instead, 
we exhibit Figure 1 as the best indicator we have of the progress in fac- 
toring during the past decade — with a strong caution to the reader to 
not try to read more into (or from) the figure than this. 

The first data point is the landmark factorization of F7, a 39-digit 
number, by Morrison and Brillhart [12] using their continued fraction 
algorithm. This algorithm was to become the progenitor of a series of 
steadily improving continued fraction algorithms that dominated the factor- 
ing scene until Pomerance's quadratic sieve [13] was first implemented at 
Sandia in 1982 [10]. Using an IBM 360/91 over a period of several weeks, 
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Morrison and Brillhart found the necessary number of completely factored 
quadratic residues in a total CPU time of only 90 minutes. They don't 
report the time required to carry out the Gaussian elimination (in 2700 
variables — primes) but it must have been large. Based on recent discus- 
sions with John Brillhart, it appears that their technique and machine 
could have factored numbers in the mid-forty digit range in times compar- 
able to the average of the times required for the two dozen or so factori- 
zations that make up the Sandia data points. The error bar on the Morrison 
and Brillhart data point therefore reflects a rough attempt to show the 
true capability of this factorization technique. 

Unquestionably, the most extensive — and up to date — compilation of 
integer factorizations ever made is the Cunningham Project Table [11] pub- 
lished by the AMS in 1983. As the authors say in the introduction, "The 
present tables are now at the limit of what can be done by factoring through 
50 digits The mid-1981 data point representing this benchmark in Fig- 

ure 1 indicates the spread above and below this 50-digit figure accounted 
for by the variation in difficulty of specific numbers. Roughly speaking, 
the Cunningham Project Table established a well defined standard of the 
computational feasibility of factoring any 50-digit number in at most one 
day's computing time. This was the state of the art in the fall of 1982 
when the quadratic sieve in the form originally proposed by Carl Pomerance 
[13] was implemented by Davis and Holdridge at Sandia on a Cray IS. The 
Sandia effort was prompted by the recognition by Simmons, Tony Warnock 
of Cray Research and Marvin Wunderllch that the Cray's ability to effi- 
ciently pipeline vector operations on vectors containing thousands of 
elements could be matched to the sieving operation that was the heart of 
the quadratic sieve factoring algorithm. The immediate results were start- 
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ling. A pair of 51 and 52-dlglt numbers — taken from the composite cofactor 
list in the Cunningham Project Table that gave them a recognized certifi- 
cate of difficulty — were factored in under two hours. This represented 
a speed improvement of better than an order of magnitude on the first 
attempt over what had been possible only a year earlier when the Cunningham 
Project Table was sent to press. This algorithm, using a very memory effi- 
cient Gaussian elimination routine for binary matrices devised by Parkinson 
and Wunderlich [16], was found to have a feasible range of 50-58 digits, 
i.e., it could factor up to 58-digit numbers in approximately a day's CPU 
time . 

The next big advance occurred in 1983 when Davis discovered the spe- 
cial q variation to the basic quadratic sieve [10]. This innovation is so 
vital to the Sandia advances, and to the most recent factoring results 
shown in Figure 1, that it will be discussed in detail later. We also 
give some precise cross-comparisons of the time required to factor numbers 
using the quadratic sieve, both with and without the special q variation, 
later in this section, but roughly speaking this improvement bought another 
order of magnitude improvement in the speed of factoring. 

The last two data points in Figure 1 are another factor of six or seven 
removed from the points in the error bar for the special q algorithm. This 
is due to the optimization of the coding of the special q algorithm for the 
Cray — attributable in large part to an improved search algorithm developed 
by Tony Warnock. In addition, Holdridge found that by "unrolling" the 
nested loops in the code the running times could be substantially improved. 
In other words, the six-fold improvement between the special q case and 
the 69 and 71-digit examples is primarily due to the substantially improved 
efficiency with which the computers were coded and used. 
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The research on factoring at the Sandia National Laboratories has been 
proof tested at each stage of algorithm development on numbers that were left 
unfactored in [11] and which were cited as being of either extraordinary 
interest or difficulty to factor or both. For example, in [11], there is a 
table of the "Ten 'Most Wanted' Factorizations" that included as the first 
two entries the composite cofactors of the only two surviving unfactored 
composite numbers from Mersenne's 1640 list; 2^^—l and 2251-1. Since this 
list was essentially an open challenge to the factoring community, we have 
responded by factoring all ten of them (nine of them for the first time). 
In the "shorthand" notation of [11], the numbers and the vital statistics 
of their factorization are shown in Table I. 2,211- C60 denotes the 
60-digit composite cof actor of 2^11-1 , etc. The cofactors themselves are 
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tabulated in [11] • Figure 2 plots the total computing time required to 
factor these numbers. As already mentioned, there have been three distinct 
generations of quadratic sieving algorithms, although refinements and 
improvements have occurred steadily in each generation of software. The 
+ symbol denotes factorizations made with the original quadratic sieve, □ 
the special q algorithm and A , the segmented (partioned matrix) Gaussian 
elimination codes that make it possible to handle much larger prime bases 
than would otherwise be possible. The 54-digit outlier (2,212+) is the 
result of factoring a small number using the partitioned matrix code, so 
that almost all of the time shown was overhead spent in moving blocks of 
the matrix into and out of memory. It is included for completeness, but 
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would have taken roughly the same time to factor using only the special 

q algorithm. Incidentally, the approximating curves are simply fits of 

Vlognxloglogn 

(L(n)) c where L(n) * e is the bound that most of the 

general purpose factoring algorithms seem to obey [13]. 

Especially noteworthy is the 58-digit number (#7, 3,124+ from [11]) 
that was factored twice; first using the basic quadratic sieve in a time 
of 8.78 hours and then again using the special q algorithm in 1.76 hours 
with a five-fold improvement in speed. This provides a crisp cross- 
comparison of the algorithms since both factorizations were done on the 
Cray IS with codes developed by Holdridge within a very short time span. 
Hence, the improvement in this case is directly attributable to the mathe- 
matics (special q algorithm). An even more spectacular, but also more 

difficult to interpret cross-comparison is possible. In [13] Pomerance 

,121 

discusses the benchmark 49-digit number J 1 factored by Sam 

(3 U -1)11617 

Wagstaff in 70 hours of computing and projects that it might be possible 
by various refinements (such as the early abort technique) to reduce the 
running time to as little as 20 hours. The latest generation of Sandia 
algorithms factored this number in 4 minutes and 34 seconds: a ratio of 
920 to 1 in computing time! Admittedly, this timing comparison is hard to 
interpret since different machines and different factoring algorithms were 
used, but the comparison supports our earlier statement that a roughly 
three-order of magnitude overall improvement in the speed of factorization 
has been achieved. Other comparisons yield similar results. 

Twenty-five large numbers (>40 digits) have been factored at Sandia — 
plus many other smaller numbers for which the overhead obscures the time 
actually spent in factoring. Figure 3 shows a least squares fit of (L(n))' 
to the data on numbers of at least forty digits for the three generations 
of algorithms; marked +, D and A as before. Note, however, that in an 
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effort to make the data machine Independent, we have plotted the number of 
elementary machine operations (shifts, adds, XOR, etc.) rather than the 
total time required to factor a number. The A curve is translated upward 
in Figure 3 compared to the same curve in Figure 2 since the Cray X-MP has 
a basic clock frequency of 105 MHz compared to the 80 MHz clock frequency 
for the Cray IS, so that the elapsed time (Figure 2) for a given number of 
elementary operations on the X-MP is roughly 3/4 of what it would be on 
the IS. The most obvious conclusion to be drawn from Figure 3 is that the 
Sandia work has — for a given number of machine operations — roughly 
increased the size of the number that can be factored by thirteen digits. 
This may not sound like much of an improvement, but over the range from 40 
to 75 digits — essentially independent of the algorithm used — for each 
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three-digit increase in the size of the number to be factored, the time 
required roughly doubles. This translates into slightly more than a 20- 
fold improvement in factoring resulting from the Sandia work, independent 
of the machine. This latter statement assumes that the machine is vectori- 
zed so that the quadratic sieve can be accommodated efficiently and also 
that the memory is organized in such a way that data can be "streamed" 
through an arithmetic unit and back into memory, etc., as is needed for 
an efficient implementation of a quadratic sieve. The Crays have this 
type of architecture, but so does the NEC SX-2, the Fujitsu VP-200 and the 
Hitachi S-810 [14,15] . 

A sort of "sound barrier" in computing is 10^ operations. At present 
this is a generally accepted dividing line between what is computationally 
feasible and infeasible. Figure 4, taken from the same data shown in Fig- 
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Figure 4. Size of composite "hard" number 
factorable by 10^2 operations. 
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ures 1 and 3, shows how large a composite "hard" number could be factored 
using 

1012 

operations with the various generations of Sandia quadratic 
sieving algorithms and codes. Again, the roughly thirteen-digit overall 
improvement mentioned earlier can be seen to hold at 10l2 operations 
decreasing to roughly ten digits improvement at operations — the 

difference being due to the relative effect of the fixed overhead in the 
computation. 

The third factor, in addition to the algorithmic improvements and 
the advances in the speed and power of the machines on which the algorithms 
are run, that has made a major contribution to speeding up the factoriza- 
tion of large numbers is the architecture of the Cray family of computers 
(or of the Cray-like vectorized machines such as the NEC SX-2 , the Fujitsu 
VP-200 and the Hitachi S-810) . We presuppose here that the reader is 
either already acquainted with the essential steps in factoring using a 
quadratic sieve, or else that he will return to this portion of the paper 
after having read the detailed discussion of the algorithm steps. Roughly 
speaking there are three major time-consuming steps. One involves the 
subtraction of the logarithm of a prime number, p^, from on the order of 
(1/p^) * 10^ locations for the largest numbers factored. Another requires 
forming the ring sum (exclusive OR, or © ) of a pair of binary vectors 
7-15,000 bits long several million times. The third task, which has often 
been described as searching for a needle in a 109 haystack, is a search 
over =slolO locations looking for linear dependencies, where we expect on 
average 20 "hits" in the 10^ items searched. To appreciate the impact 
of the computer architecture on the speed of execution — consider the 
first operation described above in which the same quantity, -log p^, is 
to be added to a string of memory locations that can be indexed in such a 
way that the locations to which -log p^ is to be added differ by a constant 
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pj. The total string length Is » 10 10 . In a machine of more or less 
conventional architecture in which data is fetched from memory, operated on 
in the arithmetic unit (AU) and the result then returned to memory, this 
sort of operation is slow. Programmed optimally on a CDC 7600 only a 
1 megabit per second effective throughput is possible. The Cray however 
has the ability to "stream" information from memory through the AU and 
back into memory for a fixed operation without pausing for fetch, store 
or interpret states. As a result, we can carry out this operation, 

DO 10, I = J, N, pj N = 10 X0 

10 A(I) - A(I) - X( Pl ) , 

where X(p^) is the logarithm of p^ , at 1/2 the clock rate of 80 MHz on 
the Cray IS and at the full clock rate of 105 MHz on the Cray X-MP- In 
other words, the architecture alone has accounted for a speed up of nearly 
forty times (Cray X-MP with 105 MHz clock versus CDC 7600 with a 37 MHz 
clock rate) for this type of operation! In order to exploit the capability 
to stream information from the memory through the AU and back into memory, 
the algorithm must have many long strings on which a fixed operation 
needs to be performed. The recognition that quadratic sieving could be 
organized In such a way that this feature of the Crays could be exploited 
is what prompted the Sandia research in the first place. 
The exclusive or operation 

A(I) = A(l) 0 B(l) 

goes at the same rate as the subtraction, I.e., the Cray IS streams at 
1/2 x 80 MHz while the Cray X-MP can stream data at 1 x 105 MHz. The 
search operation in either of the Crays has an overhead that only allows 
a throughput of 2/3 of the clock rate, i.e., 2/3 x 80 MHz for the Cray IS 
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or 2/3 x 105 MHz for the Cray X-MP. 

In addition to using the ability of the Crays to stream data, Holdridge 
did a timing analysis and found that if the major sieving loop was "unrol- 
led" that the same computation could be carried out even faster. 

As a result of the timing analysis of the sieving code it was also deter- 
mined that a great deal of time was spent in searching. Once the sieving is 
done those vector entries that have reached a specified limit must be found 
and saved. The search, written in Fortran with an "if" statement was not 
vectorized by the Cray compiler. The search is now done by a Cray Assembly 
Language (CAL) subroutine which does use the vectorization capability and 
is much faster. 

The bottom line, when all of these refinements are included and when 
one weighs the efficiencies for the various operations with the relative 
times spent in carrying out the associated calculation, is that the Cray 
IS, running the quadratic sieve, has a throughput (bits of meaningful infor- 
mation processed per second) of 1/4 x 80 MHz while the Cray X-MP achieves 
3/4 x 105 MHz. Both of these figures are quite impressive since they 
indicate that the coding is exceptionally taut — so much so that Cray 
scientists have said that these codes come the closest to running the 
Crays "flat out" of any codes they know of. The point is that since no 
code can have a throughput greater than the clock rate, and since the 
throughput with these codes (especially on the X-MP) is so close to the 
clock rate, there is only a marginal improvement possible from further 
refinements of the coding — for the present factoring algorithms. Almost 
an order of magnitude of the total advance in factoring achieved at Sandia 
is attributable to the efficiency with which the Crays are being used, 
i.e., to the tautness of the codes. 

We can extrapolate the future of factoring a short distance into the 
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future with relatively high confidence. First, the Cray X-MP is a dual 
processor machine in which the present Sandia code has only used one of 
the processors. Preliminary work on splitting up the main parts of the 
quadratic sieving calculation so that two processors can be efficiently 
employed — a nontrivial task incidentally — suggests that it may be pos- 
sible to gain a factor of =• 1.7 in computing effectiveness by using the 
X-MP to its fullest. Using the rule of thumb that doubling the computing 
time roughly equates to increasing the size of the number that can be 
factored with a fixed amount of work by three digits — taking advantage 
of the dual processor capability of the Cray X-MP should make it possible 
to factor numbers of 73-74 digits in the same time required to factor the 
71-digit number using a single processor. Another way of stating this 
result is; with the present code and using the Cray X-MP, 75-digit numbers 
should be factorable in roughly a day's computing time. 

Looking at the next generation of vectorized machines — especially 
the Cray II and also the Fujitsu VP-200 or the NEC SX-2 [14,15], all will 
have a 256 million word high-speed memory compared to the four million word 
memory on the Cray X-MP used in the research reported here. The Cray II 
has a projected arithmetic capability of 2000 megaflops (millions of float- 
ing point operations per second) while the Japanese machines have 533 and 
1300 megaflops respectively compared to * 100 megaflops for the Cray X-MP. 
Perhaps more significantly for the quadratic sieve algorithm, all have an 
improved vectorization capability; 80 K for the SX-2 and 64 K for the VP-200 
compared to the 4 K capability of the Cray IS or 2 x 4K of the Cray X-MP. 
All of these factors when combined suggest that the Cray II and probably 
the Fujitsu VP-200 or the NEC SX-2 will be roughly eight to nine times 
more effective in factoring using the quadratic sieve than is the Cray 
X-MP. This translates into an increase in the size of the numbers that 
can be factored of =< 10 digits. We therefore feel quite confident in pro- 



198 

jectlng that 85-digit numbers will be factorable in a day's time using 
the machines that will be available in the next year or so as indicated in 
Figure 1. 

Beyond that point, we leave it to the reader to draw his own conclu- 
sions- It is unlikely, however, that either of the curves in Figures 1 or 
4 showing recent progress in factoring will suddenly go "flat", but whether 
the exponential rate of change will continue is impossible to predict. 
What does appear plausible to predict, though, is that it will be feasible 
to factor 100 digits by the end of the decade, i.e., by 1990. 

Fanciful Factoring 

Most general purpose factoring algorithms (continued fraction, 
Schroeppel's sieve and the various quadratic sieves) depend for their 
success on the following simple observation. In the ring of residues 
modulo a composite number n, any quadratic residue, y, i.e., a residue 
that is the square of some other element in the ring, has at least four 
"square roots" — and perhaps many more depending on the choice of y and 
on the prime decomposition of n. If there existed an oracle that when 
presented with a quadratic residue, y, would pronounce a square root of y, 
then n could be factored with probability that goes to 1 exponentially 
fast. For example, if n » pq, p and q distinct primes, and y = x^ (mod n) 
where x has the unique representation x = ap + bq (mod n) , where 0 < a < q 
and 0 < b < p, then y has the four square roots (± a)p + (± b)q where we 
interpret -a « q-a and -b = p-b . To factor n using the services of the 
oracle, choose x = ap + bq (at random) and compute the quadratic residue y 
= x^ = a^p^ + b^q^ (mod n) . We, of course, do not know a, p, b or q since 
we don't yet know the factorization of n, but we do know x and y. The 
oracle when presented with y, would with probability 1/2 pronounce either 
yl/2 = ap + bq or yl/2 = (-a)p + (-b)q in which case we learn nothing 
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about the factorization of n. On the other hand, with probability 1/2 
the oracle would pronounce either yl/2 = ap + (-b)q or yl/2 = (- a )p + bq. 
In which case the two greatest common divisors; 

(x+y 1 / 2 , n) and (x-y 1/2 , n) 

would be either p and q or else q and p, respectively, depending on which 
root the oracle chose. 

All of the general purpose factoring algorithms mentioned cause the 
computer to function (ultimately) in the same way as our fancied oracle. 
The main difference is that instead of getting back a square root as the 
response to a submitted quadratic residue, the algorithm yields a sequence 
of intermediate answers, that ultimately amount to one of the oracle's 
responses. Just as in the case of the oracle, a quadratic residue, Q^, 
is presented to the algorithm — but the response is not (except in the 
rarest of cases) a square root of Q^, but rather the prime decomposition 
of Qj, in which some of the prime factors may occur to an odd power. 
Hence it is computationally infeasible to infer a square root of from 
the response, since this would be equivalent to being able to factor n. 
If after sufficiently many responses, however, a subset of the Q's can be 
found for which each of the primes that has occured as a factor in some 
one of the Q's has occurred an even number of times in all, then we are 
able to effectively recreate one of the oracle's responses. Since the 
product of the Q's is a quadratic residue of a root that we know and the 
square root of the product of the primes is trivially the product of each 
of the primes raised to half of its even exponent, it is also feasible to 
calculate a square root. Just as in the case of the oracle, when a = pq 
there is only a 50-50 chance that this will lead to a factorization of n 
with comparable probabilities for other composite n, but this is the essen- 
tial notion underlying the various factoring schemes. 
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Quadratic Sieving: Plain 

Given an odd number, n, to be factored, the basic quadratic sieving 
scheme [13] calculates a sequence of (relatively) small quadratic residues 

Q(x) = (x-hn) 2 - n (1) 

where m = [ vn~] . If |x| < B and B << /n, then Q(x) will be "close" to 
v^i. It Is important to keep Q(x) small since the algorithm attempts to 
factor Q(x) over a prescribed — but restricted — set of primes. This 
set of possible factors of Q(x) consists of precisely those primes for 
which n is a quadratic residue, i.e., 2 and the odd primes, p, for which 
the Legendre symbol (n/p) = 1. Fortunately, the Legendre symbol Is easy 
to calculate in a maaner similar to the Euclidean algorithm for finding 
the greatest common divisior, so that it is computationally easy to find 
the t-1 smallest odd primes, p^, for which (n/p^) = 1. The set of t+1 
elements (-1, 2, p^) we shall refer to as the factor base. In order for 
the algorithm to succeed, we must find sufficiently many quadratic residues, 
Q(x), that factor completely Into factors in the factor base so that it is 
possible to find some subset of the Q(x) among which the prime factors 
have all occurred an even number of times. The justification for referring 
to the procedure as a sieve is now easy to see. If p a |Q(x) for some x, 
then p a |(Q(x ± hp a ), h = 0,1,2,..., hence the division of the resulting 
sequence of quadratic residues can be performed by a sieve-like operation 
at argument values indexed in an arithmetic progression with spacing of 
p a . One of the primary reasons for the speed of the quadratic sieving 
algorithm is that instead of having to carry out multiple precision trial 
divisions as is required In some of the other general purpose factoring 
algorithms, we can use single precision subtraction of approximate logar- 
ithms on the Q(x ±hp a ), i.e., at only those positions where it is 
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already known that p a is a divisor. 

Since we must ultimately be able to combine a subset of the factored 
residues by multiplication to form a perfect square, i.e., to simulate a 
response by the oracle, we need to find a linear combination of the expon- 
ents for the primes appearing in the various factorizations such that the 
sum is even in each entry (for each prime). In order to have a reasonable 
chance of finding such a dependency we should have approximately as many 
completely factored residues as we have primes la the factor base. One 
might conclude from this, that t should be small. However, if we take t 
to be too small, then a given residue is not likely to factor. On the 
other hand, if we take t to be too large, we spend more time sieving and 
will have to find many more factorizations in order to be able to find a 
linearly dependent subset. It is clear, though, that qualitatively speak- 
ing as the magnitude of n increases, the number of entries, t, in the 
factor base should also increase. If one had no storage constraints, it 
would be possible to optimize the size of the factor base in order to 
minimize running time. In fact Wunderlich has analyzed, partly theoreti- 
cally and partly empirically, the optimum size of the factor base as a 
function of the size of n, but the conclusion is that this optimum is so 
large that using a t of this size would result in an impractically large 
matrix even for the Cray X-MP; hence, we simply use as large a factor base 
as we can accommodate. 

A detailed discussion of the coded implementation of quadratic sieves 
Is inappropriate to the objectives of this paper, however, it is necessary 
to understand the essential steps involved in using sieves for factoring 
in order to appreciate why and how the Cray machines can be so well matched 
to the algorithm. For the Q(x) defined in (1), we wish to find solutions, 
x, to the related congruences 
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Q(x) = 0 (mod Pi ) (2) 

for p^ an element in the factor base. As already remarked (2) has solutions 
precisely when (n/p^) = 1, pjjn or » 2. If (n/p^) = 1 then (2) has two 
solutions, which are usually represented as A-q and B.q = ~(A.q + 2m) (mod pj). 
The sieving process depends on the fact that if we had a list of consecu- 
tive values of Q(x) indexed by x, that for all indices x = A^ ± hp^ and 
x = B-q ± hp^ the associated Q(x) would be divisable by p^. The sieving 
procedure consists of dividing out (effectively) p^ from only these Q(x) 
while leaving all other Q(x) unaffected. This requires two sievings of 
the array per solution to (2) — but as we shall see, the whole procedure 
can be implemented very efficiently. 

As a matter of fact, we actually wish to solve a slightly more general 
version of (2) 

Q(x) i 0 (mod pj) (3) 

since the smaller primes may occur to some power > 1 in the factorization 
of Q(x) over the factor base . We therefore choose a bound L and sieve for 
all < L where Pi is in the factor base. We have generally taken h 
to be the length of one sieving block (8 x 10^ on the Cray IS). This gives 
at least one successful division per prime power per sieving interval. 

For each odd prime pj_ in the factor base and each exponent j such 
that p^ < L compute and save the two integers A^j and j , that are 
obvious generalizations of the Aj^ and defined in connection with 
(2). Ajj is the least nonnegative residue (mod p^) that satisfies (3) 
and j = + 2m) (™od p^) is its paired solution. These starting 

addresses for sieving are stored along with the associated weight log pj - 
In the same way that Q(x) was sieved for p^, we sieve at x = A^j ± hp^ 
and x = B. . ± hp J by subtracting the weight log p,, i > 1. If A is 
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the highest power of pj that divides Q(x) for some particular argument 
x and p t < L, then log will be subtracted from Q(x) precisely I times 
as it should be by this procedure. 

The prime 2, of course, has every odd integer as a quadratic residue 
but x 2 = n mod 4 has a solution if and only if n = 1 mod 4. Also for 
k > 3 , x' 5 n mod has solutions if and only if n = 1 mod 8. Thus, the 
indices for sieving with powers of 2 must be chosen in a somewhat dif- 
ferent fashion depending on the residue class of n mod 8. Following a 
suggestion of Pomerance, these sieving parameters are assigned as follows: 

In all cases 

A-H = (1-m) (mod 2) 

A.12, Bji, B^2 undefined 

The other values of A^j, B^j must be treated as three distinct cases: 

1) n = 1 mod 8 

For j = 3, 4,..., A, — < 2 X < B, A,, is chosen such that 
2 ■ L J 

(A 1; .-m) 2 = n (mod Z i+1 ) and 0 < A-^ < 2 j 

B lj E ~( A lj + 2m ^ (mod 2 ^ ' 

A-H is assigned weight 3 log 2. All other defined A^ j , B^j 

have weight log 2. 

2) n = 3 mod 4 

A.±i is assigned weight log 2. Other A^j, B^j are undefined. 

3) n ■ 5 mod 8 

Ajli is assigned weight 2 log 2. Other A]_j, Bjj are undefined- 
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In sieving, start from the origin (x = 0) and sieve in both positive 
and negative directions until approximately t of the Q(x) have factored 
completely over the factor base. Because of some overhead in the initial- 
izing of arrays and the pipelining capability of the Cray's, we sieve on 
intervals which are as large as possible, say of length k, [0,k), [-k,0), 
[k,2k),... : k = 765,000 on the Cray IS and 1.5 x 106 otl the Cray X-MP. 

In order to be able to carry out the factorization by subtraction., we 
need to first fill the arrays with approximate (single precision) values of 
log|Q(x)|, x e [ JQc,(.W-l)k) . After the first positive and negative blocks, 
these logarithms are taken as constant in a given sieving Interval. When an 
array has been initialized in this way, we sieve on pjj by subtracting the 
assigned weight (usually log pj_ as discussed above) from each log Q(x) in the 
arithmetic progression of indices 

x = A^j ± hpjj and x = B^j ± hp^ 

and in the sieving interval [kA, k(JH-l)). 

When the sieving procedure is completed for a given block, the con- 
tents remaining in each location are compared with log p t : where pt is the 
largest prime in the factor base. Values that are smaller then log p t 
Indicate the residues corresponding to these locations have been factored 
entirely Into the primes in the factor base and these addresses are stored. 
Occasional false alarms due to approximations are eliminated later. Notice 
that very little multiple precision arithmetic is needed. The sieving 
procedure is repeated block-by-block until the desired number of Q's have 
been found that factored completely over the factor base. Once this has 
been done, it should be possible to find a subset of the Q's among which 
each of the primes has occurred an even number of times In total. The 
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problem of finding such a subset can best be treated as a problem of find- 
ing a linear dependency among vectors over GF(2). For each address at 
which Q(x^) factored completely over the factor base as indicated by the 



binary array, in which all of the essential information concerning the 

factorization of each CXx^ is stored in t+1 bits, or 2~ 6 (t+l) words 

in the Cray. Now we need to find a subset, S, of the such that 

®Vi = $ where ©denotes exclusive OR and $ denotes the zero vector. 
S 

This is a straightforward problem in Gaussian elimination over GF(2). 
We use an improved version of a code developed by Parkinson and Wunderlich 
for this part of the calculation [16]. Once such a subset S is found, and 
w and z are calculated from 



entry being less than log p t , Q(x^) is now actually factored by dividing 



out the factors in the prime base to get 




with which we associate a binary, t+1 element, vector » (^ij) where 
V£j = 1 if ccjt j is odd and 0 otherwise. This results in a roughly ft 



will (x+m) 

s 



(mod n) 



where 



Q(x) = (x+m) 2 - n 



and 



Q(x) e S 



and 



t 



z = n n p 1 
i'O s 



(mod n) 



if w j£ ± z , n can be factored by calculating the greatest common divisors 



(w+z, n) 



and 



(w-z, n) 
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both of which will be proper divisors of n. It may be the case that neither 
is a prime and that the procedure will have to be iterated to eventually 
obtain the prime decomposition of n, however the factor base remains the 
same and the factorizations of the Q(x) have already been done, so that 
only the end calculation would need to be repeated with some other linear 
dependent subset . 

For Example 

Since this has been — unavoidably — a rather lengthy discussion, we 
illustrate the basic quadratic sieve factoring algorithm using a small 
example . 

Let n = 37-137 = 5069, so that m = [/jOoT] = 71. 

This example was "cooked" so as to have many small primes in the factor 
base, i.e., 5069 is a quadratic residue of 5,7,11 and 13, hence the factor 
base for t = 5 consists of -1,2,5,7,11,13. 

First 5069 = 5 (mod 8), so that 2 2 |Q(0 ± 2h) and no other values of 
Q(x) are divisable by a power of 2 from the earlier discussion of A^j and 
B 2. j - Similarly, it is easy to show that for p2 = 5, A 2 i = 1 and hence 
that B 2 i = -(1 + 2m) 5-3 a 2 (mod 5). Thus 5|Q(1 ± 5h) and 5|Q(2 + 5h), 
etc. Similar results hold for p = 7, 11 and 13. Table II shows the 



Table II 



X 




1 


2 


3 


4 


5 


6 


7 


8 


9 


x-h. 




72 


73 


74 


75 


76 


77 


78 


79 


80 


Q(x) 




115 


260 


407 


556 


707 


860 


1015 


1172 


1331 


Factors froa 


base 


5 


2 2 -5-l3 


11 


22 


7 


22-5 


5-7 


22 


ll 3 


Realdual 




23 




37 


139 


101 


43 


29 


293 




X 




a 


-1 


-2 


-3 


-4 


-5 


-6 


-7 


-8 


x-Ha 




71 


70 


69 


68 


67 


66 


65 


64 


63 


<Xx> 




-28 


-169 


-308 


-445 


-580 


-713 


-844 


-973 


-1100 


Factors from 


base 


-1-22-7 


-1-132 


-l-2 2 -7-ll 


-1-5 


-1-22-5 


-1 


-1-22 


-1-7 


-l-2 2 -5 2 -U 


Residual 










89 


29 


713 


211 


139 


















(23-31) 
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shows the quadratic residues Q(x) for -8 < x < 9, six of which factor com- 
pletely over the factor base. The periodic appearance of the factors on 
which sieving is based is easy to see. The corresponding binary matrix 
V is of the form. 



-1 2 5 7 11 13 



V 9 

v 2 
vo 

V-l 
V-2 
V-8 



1 1 
1 



Three subsets of the sum (exclusive OR) to <|>: 

V 0 © V_! © V_ 2 © V_ 8 = 

V 9 © V 0 © V_ 2 = * 



(a) 
(b) 
(c) 



The relationship in (a) corresponds to having presented the quadratic 
residue 3625 to the oracle: 

3625 = Q(0)Q(-l)Q(-2)Q(-8) (mod 5069) 

2 (71) 2 (70) 2 (69) 2 (63) 2 (mod 5069) . 

In this case the algorithm (oracle) returns the result that 

z = 2 3 -5-7-ll-13 = 4557 (mod 5069) 

while we can calculate 



w = 71-70-69-63 = 512 



(mod 5069) 



which tells us nothing whatsoever about the factorization of n, since 
4557 = -512 (mod 5069) . 
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If however we use either of the other two linear dependencies, we have 
corresponding to b; 

80-70-63 i ±2-5-ll 2 -13 (mod 5069) 
3039 i ± 523 (mod 5069) 

and hence 

(3039 + 523, 5069) = 137 
(3039 - 523, 5069) = 37 . 

While corresponding to c; 

80-71-69 i ± 2 2 -7-ll 2 (mod 5069) 
1067 i + 3388 (mod 5069) 

and hence 

(3388 + 1607, 5069) = 37 
(3388 - 1607, 5069) = 137 

either of which leads to the factorization of n. 

It is this "plain" quadratic sieve factoring algorithm that was first 
implemented at Sandia, with the results documented in earlier portions of 
this paper. In attempting to use this technique to factor numbers larger 
than 57 to 58 digits, it was found that as the sieving interval became 
large enough to find =• t residues that factored completely that the mag- 
nitudes of the quadratic residues to be factored themselves became pro- 
hibitively large. Eventually the frequency with which a quadratic residue 
could be completely factored over the prime base became so small that the 
sieving times were intolerable. For the largest numbers factored, we 
were examining many tens of millions of residues to find even one complete 
factorization. 
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Quadratic Sieving: Fancy 

If it is the case that after all of the prime factors from the prime 
base have been factored out of a quadratic residue, 

t 

Q(x) =qHpi , 
1=0 

2 

the residual factor, q, is bounded by p t < q < p c , then q is necessar- 
ily a prime. Use of these "large" primes in the factorization by simply 
adding them to the prime base has been suggested and implemented [13], 
since if two quadratic residues, Q(x^) and Q(x2> can be found such that 

' a li 

Q(xj) 2 q II p^ (mod n) , 

i»0 



and 



then 



Q(x 2 ) = q n (mod n) 

i-0 



Q(x 1 ).(x 2 )q~ 2 = n pf li+Cl2i (mod n) 

i=0 



i.e., a quadratic residue that can be factored over the prime base can be 
constructed . 

Although this approach, known as the large prime variation, does 
improve the performance of the algorithm over the "plain" quadratic sieve, 
the improvement isn't great enough to asymptotically make any difference. 
The reason that one only gets a marginal improvement from augmenting the 
prime base with a large prime is that for all intents and purposes we are 
randomly generating the quadratic residues — at least so for as their 
divisability by a particular prime is concerned. Therefore the probability 
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that we will find another quadratic residue, Q(x'), — by sequentially 
indexing on x — such that 

qjQ(x') 

is « 1/q per trial, which is a very small quantity. If instead of simply 
searching for a Q(x') such that q|Q(x'), we could systematically generate 
a new sequence of Q's, such that q|Q(x), and in which Q(x)/q is small, 
then we could recover the same comparatively high probability that the 
resulting quotients would completely factor over the factor base that we 
had for Q(x) when x, and the Q(x), were small. This is the essential idea 
behind Davis' special q variation or "quadratic sieving; fancy." 

Assume that we have found in the regular quadratic sieving an x for 

which 

Q(x) = q IT p^ 
i=0 

where p t < q < p t . 

A candidate for such an x is found when the quantity remaining in one 
of the indexed entries after the sieveing is completed lies between log p c 
and 2 log p t . If by chance some of these candidate Q(x)'s actually factor 
over the factor base because of large prime powers that were not considered 
in the original sieving, they are identified later and included among the 
complete factorizations. If q is actually prime, which is almost always the 
case, then note that: 

Q(x ± hq) » (x + hq + m) 2 - n » Q(x) ± 2hq(x + m) + h 2 q 2 , 

where each term on the right is divisible by q, and the magnitude Q(x + hq)/q 
is essentially that of Q(h) , i.e., Q( x t n< 0 « 2hm for x « /a. We can 
then form subsequences of residues starting at x and at -(x + 2m) (mod q) 
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whose magnitudes are comparable Co those of Q(x) at the start of the orig- 
inal sieve. The sieving otv the subsequences is done exactly as in the 
plain quadratic sieve. One problem that may be encountered when using 
special q's is that the arguments may become larger than single precision 
words in the computer. We overcame this by using the pairs (x,h) to repre- 
sent x + hq and thus temporarily avoid multiprecision operations. 

These special q's are relatively easy to find compared to finding 
complete factorizations. Thus in order to keep reduced residues "small", 
for each special q we sieve the subsequence for only a short interval: 
typically for a few blocks. When dealing with a single special q any com- 
plete factorization of a quadratic residue contains the factor q, which can 
be eliminated before going to the Gaussian reduction by combining pairs of 
factorizations to get quadratic residues in which q occurs an even number of 
times. 

The sieving property is not dependent on the primality of the divisor, 
q, so why require the special q's to be prime? This is to prevent "colli- 
sions" between special q subsequences; that is, to prevent the same factor- 
ization being generated by two subsequences. If qjjQ(x) and q2|Q(x) and 

> q^ > q 2 > P t , then we would have q 1 *q 2 jQ(x). But then Q(x) could 
not have passed the factorization criterion in the first place. 

The special q modification introduced a few complications to the 
computation such as multiprecision arguments, and required writing a new 
computer code, but the increased capability was dramatic. The bottom line 
is that the special q variation enabled factorization of 63-64 digit 
integers in times comparable to those required by the original sieve to 
factor 55-56 digits. Furthermore, the relatively constant success rate 
for complete factorizations within the subsequences enables an accurate 
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early estimation to be made of how much computing time will be required 
for a given factorization. 

Examining the residuals in Table II we see that 23, 29 and 31 are 
all candidate special q's. We let q = 23 be the special q in the example 
used earlier. Table III shows the resulting quadratic residues 3 X based 

Table III 



Sieve on special q = 23 

2 

Q'(x) « Q(x 0 + xq) = (x 0 + xq + m) - n 





XQ - 1 


x 0 


Tx 

= -(l-2a) = 


-5 


(mod 23) 




X 


-2 


-1 


0 


1 


2 


-2 


-1 


0 


1 


2 


xq + xq +• m 


26 


49 


72 


95 


118 


20 


43 


66 


89 


112 


Q'(x)/q 


-191 


-116 


5 


172 


385 


-203 


-140 


-31 


124 


325 


Factors from base 


-1 


-1-22 


5 


22 


5-7-11 


-1-7 


-1-22-5-7 


-1 


22 


52-13 


Residual 


191 


29 




43 




29 




31 


31 





on xq = 1 and T x based on the paired xq = -(l-2m) = -5 (mod 23) for 

|xj < 2. Four residues factor completely over the prime base — extended 

by 23. 



2 5 7 11 13 23 



S 2 
SO 
T-l 
T 2 



1 1 
1 

1 1 



1 
1 
1 

1 1 



Eliminating 23 by multiplying each row by the first we get; 
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-1 2 5 7 11 13 



S 2 S 0 1 1 

S2T-1 1 1 

S 2 T 2 1111 

Referring to Table II, we see that 



v 0 © v -8 ©S 2 S 0 
v -l © v -2 ©S 2 S 0 
V-i © V 0 © V 9 © S 2 S 0 



(a) 
(b) 
(c) 



From (a) we find 



and 



where 



w = 71 -63 -118 -72 = 315 (mod 5069) 



z = 2 2 -5 2 -7-ll =4754 (mod 5069) 



w = -z (mod 5069) 



Similarly from (b) we find 



and 



w = 70-69-118-72 = 2125 (mod 5069) 



z = 2-5-7-11-13-23 = 2125 (mod 5069) 



neither of which tells us anything about the factorization of n. On the 
other hand, from (c) 



and 



w = 70 -71 -80 -118 -72 = 2655 (mod 5069) 



z = 2-5-7-ll 2 '13-23 = 3099 (mod 5069) 
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where w % ± z . Hence 

(3099 + 2655, 5069) = 137 

and 

(3099 - 2655, 5069) = 37 . 

One cannot expect such a small example to illustrate the advantages 
of using special q's — although the range of the parameters is slightly 
smaller in the example with the special q than without. 
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Strong Primes are Easy to Find 



John Gordon, Cybermation Ltd 

Summary 

A simple method is given for finding strong, random, large 
primes of a given number of bits, for use in conjunction with the 
RSA Public Key Cryptosystem. A strong prime p is a prime 
satisfying: 

* p = 1 mod r 

* p = s-1 mod s 

* r = 1 mod t, 

where r,s and t are all large, random primes of a given number of 
bits. It is shown that the problem of finding strong, random, 
large primes is only 197. harder than finding random, large 
primes. 



Introduction 

The most promising public key cryptosystem (PKC) since the idea 
was first published IU is almost certainly the RSA scheme ZZL 

A brief description of the RSA scheme will now be given, but the 
interested reader should consult 121 for more details. In what 
follows, the terms number, and integer are both to be 
taken as indicating either a positive integer or zero. 

In implementing this scheme a person (say Bob) makes for himself 
a set of three large numbers: m, E and D, (respectively the 
modulus, Public key and Secret key) with the properties: 

if y = x" mod m then x = y D mod m 

for all numbers x in the range (0, m-D. 

The numbers E and m are published, and someone else (say Alice) 
wishing to send a secret message x (regarded for the purpose of 
encryption as a large integer) to Bob, calculates y from x and 
sends to Bob the cryptogram y. Since Bob knows D he can 
recover the message. Anyone else wishing to eavesdrop must find D, 
or else discover x some other way. Both of these recourses appear 
to be computationally infeasible for suitable choices of 
parameters. 

Bob makes m, E and D as follows. He chooses two very large primes 
p and q at random with p and q of roughly equal size (of say 256 

T. Beth, N. Cot, and I. Ingemarsson (Eds.): Advances in Cryptology - EUROCRYPT '84, LNCS 209, pp. 216-223, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 
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bits each). This choice of p and q is the subject of this paper. 
He chooses E at random, relatively prime to (p-D(q-l) and then 
finds D from the relationship: 

ED = 1 mod (p-l)<q-l) 

which he can do easily and quickly using Euclid's algorithm 
C33, LAI. Finally he forms m using: 

m = pq. 

A potential eavesdropper must it seems first find D, which appears 
to require the determination of p and q, which in turn seems to 
imply that he must be able to factorise m. To factorise a product 
m=pq where p and q are very large primes of say 256 bits each is 
one of the hardest known common problems [23, C31. 

The advanced techniques a cryptanalyst might use to factor m C3D 
break down when p (and similarly q) is not only prime but also has 
the properties that p-1 has a large prime factor say r, and p+1 
has a large prime factor say s. To make the problem really hard 
r-1 should have a large prime factor as well. For logistical 
reasons it is also necessary to be able to choose p in some sense 
at random but with a given number of bits. 

There is thus a considerable interest in the problem of finding 
primes with these desirable progerties. However there does not 
appear to be any published way of finding primes with all these 
properties, and in this paper we show how to satisfy all the 
requirements. In particular it is shown that the extra conditions 
imposed upon p add only 19X to the cost of the task of finding p. 



The Technique 

We seek therefore a computationally economical construction for a 
large, randomly seedable integer p of given number of bits and 
with the following properties: 

* p is prime. 

* p-1 has a large, prime factor, say r. 

* p+1 has a large, prime factor, say s. 

* r — 1 has a large, prime factor, say t. 

Numbers sastisfying these criteria will be known as Strong 
Primes. We now show, explicitly how to contruct strong primes. 
We begin with the following observations. 

If p-1 has a large, prime factor r, then p = Kr + 1 for some K. If 
K is odd (and assuming that r is greater than 2 and hence an odd 
prime), then p will be even (since a product of add numbers is 
odd), which is ridiculous since p is greater than r. Therefore K 
must be even. Since p, r s and t are all assumed to be large we 



218 



are only interested in odd primes p whose properties are in 
effect: 

tt) p = 2jr + 1 (or p = 1 mod 2r) 

(2) p = 2ks - 1 (or p = s-1 mod 2s) 

(3) r = 2Lt + 1 (or r = 1 mod 2t) 
for some j, k, L where r,s and t are primes. 
Our order of events will be: 

* choose random seeds a and b 

* from a and b generate random primes s and t 

* from t construct r 

* from r and s construct p. 

It will be assumed that choosing random seeds with any required 
number of bits does not present any special problems and this 
aspect will not be addressed further. 



Find s and r 

Finding s (and t) which are just random primes greater than a 
given seed and of specified number of bits is relatively 
straightforward. Starting from random seed a, we will find the 
first prime s (or t) greater than a. We now estimate the 
computational effort and the time to complete tasks of this type. 

We know from the Prime Number Theorem C41, that x/Ln(x) is a 

very good estimate of the number of primes less than x. Hence the 

density of primes in the neighbourhood of x is given by: 

d/dx (x/Ln(x» = (1/Ln(x)-1/Ln(x) 2 ) 

which is close to 1/Ln(x) for large x. The mean separation between 
primes of magnitude x is therefore about Ln(x). If we search 
through only odd numbers for the next prime greater than s we 
will need to examine on average no more than Ln(x)/2 numbers. If 
x=2" this amounts to 0.35n integers. We are thus unlikely to 
need to examine say n integers before finding a prime. 

Eliminating multiples of 3 reduces the search by a further factor 
of two-thirds and so on. Continuing in this way we find that 
eliminating multiples of the first 54 primes, (2,3,5,..,251), 
leaves only 10.0357. of all integers for serious further 
examination. The reason for being interested in the first 54 
primes resides in the fact that these are precisely those primes 
which can be represented in one 8-bit byte or less. They can be 
stored in single bytes and permit extremely rapid elimination 
using a division algorithm which efficiently exploits a 1-byte 
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divisor. This algorithm need not form a quotient. The typical 
search will then pay serious attention to only 0.10035Ln(x) 
integers. If x is a n-bit number this amounts to less than 0.07n 
integers. 

Our technique is to test these remaining, uneliminated integers 

using an efficient, statistical technique, for example 

Algorithm-P in C33. Each such test consists of v passes 

through a procedure whose complexity is dominated by the need to 

perform a modular exponentiation u^mod-x) where v is about 

5, and q and x are n-bit quantities. 

In point of fact, non-primes are almost invariably eliminated on 
the first pass and so v=5 only for the number finally chosen. 
If most numbers are eliminated then v=l is a more realistic 
estimate. 



Modular exponentiation on a normal computer where multiprecision 
arithmetic must be used requires triple-nested loops at the bit or 
word level and the time to perform such an exponentiation is of 
order Q(n 3t ). Experiments on small computers using very 
efficient assembly language programming indicate that the time to 
exponentiate for large n is about 

T.Kp(n) = cTn 3 /w 

where c is a constant of size about 8, T is the time for one 
instruction and w is the word size. (On a special-purpose n-bit 
machine the time would be of the order 0(n 2 )). The time 
therefore needed to find s (or t) (ignoring the time for quick 
eliminations) is about 0.07n times cvTn 3 /w i.e. about: 

Tt^immiri) = 0.07cvTn*/w. 

When we have found s (or t), it is unlikely to have more bits than 
the seed a. We can virtually ensure this by picking our value 
of a in the range (2"- 1 ,2"- l +2 r, - 2 -l). This 

ensures that a starts with the two digits 10 which leaves a 
run of 2"~ a integers in which to find a prime before 
increasing the number of bits. 



Find r 

We now seek a prime r of the form 2Lt+l. Our technique is to 
search through (2Lt+l)-space for successive values of L. Since we 
will only be examining odd numbers, primes will appear to be twice 
as dense as among all numbers, but conversely twice as many will 
have non-trivial divisors. Thus the time to find r will again be 
be T p> -im»(n) where n in the number of bits in r. 
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Controlling the size of r 

We are likely to use about nl_n(2)/2 = 0.35n successive values of L 
before finding r. Every time L doubles another bit is added to 
2Lt+l. If this process is not to leave great uncertainties in the 
final number of bits in r we should start with a value L 0 of 
of about n, so that L will increase on average by a factor of 1-35 
which is less than 2. The final size of r will be very close to 
Log 3 (2L 0 ) + n bits. We can increase the certainty of 
this by increasing U. 

A more sophisticated approach is to arrange for 2t to be say 
Log 2 (n) bits shorter than the desired length of r, then 
starting with unity, add in successive multiples or 2t until the 
desired length of r is reached, and then begin checking for 
primality at each subsequent addition of 2t. 



We now come to the final part of the technique namely, given 
primes r and s, find a prime p, close in size to a given number of 
bits, and satisfying: 

p = 2jr+l = 2ks-l, for some j and k 



The key to solving the problem of finding primes with these 
properties is contained in the following theorem. 

Theorem 1: 

If r and s are odd primes, then p satisfies: 

p = (1 mod 2r) = (s-1 mod 2s) 
if and only if p is of the form: 

p = Po +2krs {2> 



Find p 



or 



p = 1 mod 2r =2s-l mod 2s. 



CD 



where 



Po = u(r,s) 



:u(r,s) odd 



= u(r,s) + rs 



:u(r,s) even 



and u(r,s) = (s* 1 - r~ -1 ) mod rs. £3} 
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Proof: 

Integers, prime or otherwise, satisfying U> clearly also satisfy 
the weaker condition: 

p = jr + l = ks-l for some j,k. C4> 

Numbers satisfying £4> are alternately odd and even. Integers 
satisfying {1} are just the odd valued numbers satisfying {4>. The 
remainder of the proof consists in showing that numbers satisfying 
{4} are of the form u(r,s) + krs. Solving C4> is just a special 
case of an application of the Chinese Remainder Theorem [41 

Consider the number u(r,s) of the form {3} above. 

Now by Fermat's Theorem C43, namely: 

if q is prime and 0 <= x < q, then 

x**-* = 1 mad q = kq + 1, for some k, 

it is dear that s' 1 = 1 mod r, and similarly r" -1 = 1 
mod s. 

Also of course s" 1 = 0 mod s, and r" _1 = 0 mod r. 
Finally rs = (0 mod r) = (0 mod s). 
Thus u(r,s) satisfies <4>. 

We now show that numbers not of the form u(r,s) + ksr cannot 
satisfy £4>. 

Let u and u' satisfy £4> and consider the difference: 

u - u' = (1 mod r) = (1 mod r) = 0 mod r = kr 

= <s-l mod s) - (s-1 mod s) = 0 mod s = k's 

for some k and k'. Thus u-u' is a multiple of LCM(r,s) which is rs 
since r and s are prime. Since u(r,s> satisfies £4J, u and u' must 
be of the form u(r,s) + ksr. QED. 

Finding u(r,s) and hence p 0 requires two exponentiations at a 
cost of 2T.„ P . Finding p amounts to finding a prime in 
(po+2krs)-space and the same considerations apply here as did 
to the search for r in (2Lt+D-space, namely that we should start 
with p 0 and add in successive multiples of 2rs until the 
desired size is reached, then check for primality at each 
subsequent addition. 
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Size of p,r,s and t 

The size of p is a few bits larger than the size of 2rs. The 
difference is entirely due to the need to excercise some control 
in the size of p. Thus we should start with 2rs of a suitable 
size, say Log 3 (n) bits less than n, the desired number of 
bits in p. This in turn tells us the size for r and s. Presumably 
it is desirable for r and s to be of about equal size which will 
be a few bits less than half the size of p. There is no problem 
with s, and the method of finding r of suitable size has already 
been dealt with earlier. 

Time to Find p 

The time spent searching for primes dominates. We need to mount 
searches for p, of n bits, and for t, r and s, each roughly of n/2 
bits. Altogether, ignoring all times except those spent searching 
for primes, the time to find p should average 

Tp^i««(n) + 3T pr . lm .(n/2) 

= l'/t^Tprt^n) 

= 1.19 x 0.07cvTn*/w. 

This represents an increase of only 3/16 (=192) over the time to 
find a random prime of given size n bits. 



Example 

Using the technique described here, strong primes of about 256 
bits such as: 

p=7,918,324,333,004,779,287,780,879,909,121,159,911,537, 

551,977,796,076,554,305,607,309,994,905,870,203 

where t= 83,106,713,586,449,986,154,292,642,419,182,973 
r= 7,645,817,649,953,398,726,194,923,102,564,833,517 
and s=10,638,156,841,358,536,678,090,874,84B,207,317,901 

can be generated in about 20 minutes on a small microcomputer with 
1MHz clock (Apple-II) using an extremely efficient modular 
arithmetic package (CyMAS). 
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ABSTRACT 

Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element 
u 6 GF(q) is that integer k, 1 < k < q—l, for which u — g k . The well-known problem of 
computing discrete logarithms in finite fields has acquired additional importance in recent years due 
to its applicability in cryptography. Several cryptographic systems would become insecure if an 
efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known 
algorithms in this area, with special attention devoted to algorithms for the fields GF{2"). It 
appears that in order to be safe from attacks using these algorithms, the value of n for which 
GF(2") is used in a cryptosystem has to be very large and carefully chosen. Due in large part to 
recent discoveries, discrete logarithms in fields GF{2") are much easier to compute than in fields 
GF(p) with p prime. Hence the fields GF(2") ought to be avoided in all cryptographic 
applications. On the other hand, the fields GF(p) with p prime appear to offer relatively high levels 
of security. 
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Discrete logarithms in finite fields and their cryptographic significance 

A. M, Odlyzko 

AT&T Bell Laboratories 
Murray Hill, New Jersey 07974 

1. Introduction 

The multiplicative subgroup of any finite field GF{q), q a prime power, is cyclic, and the 
elements g € GFiq) that generate this subgroup are referred to as primitive elements. Given a 
primitive element g € GFiq) and any u € GF(q)* - GF(q)-{d}, the discrete logarithm of u with 
respect to g is that integer it, 0 ^ k < q— 1, for which 

u - g k . 

We will write k — \og g u . The discrete logarithm of u is sometimes referred to as the index of u . 

Aside from the intrinsic interest that the problem of computing discrete logarithms has, it is of 
considerable importance in cryptography. An efficient algorithm for discrete logarithms would make 
several authentication and key-exchange systems insecure. This paper briefly surveys (in Section 2) 
these cryptosystems, and then analyzes the known algorithms for computing discrete logarithms. As 
it turns out, some of them, including the most powerful general purpose algorithm in this area, have 
not been analyzed in complete detail before. Moreover, some of the analyses in the literature deal 
only with fields GF(p), where p is a prime. In cryptographic applications, on the other hand, 
attention has been focused on the fields GF(2"), since arithmetic in them is much easier to 
implement, with respect to both software and hardware. Therefore we concentrate on the fields 
GF(2"). 

Several proposed algorithms for computing discrete logarithms are known. We briefly discuss 
most of them (including some unsuccessful ones) in Section 3. In Section 4 we present the most 
powerful general purpose algorithm that is known today, called the index-calculus algorithm, and 
analyze its asymptotic performance. Recently a dramatic improvement in its performance in fields 
GF(2") was made by Coppersmith [18,19], and we discuss it in detail. In Section 5 we discuss 
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several technical issues that are important to the performance of the index-calculus algorithm, such 
as rapid methods to solve the systems of linear equations that arise in it. In that section we also 
present several suggested modifications to the Coppersmith algorithm which appear to be 
unimportant asymptotically, but are of substantial importance in practice. We discuss them in order 
to obtain a reasonable estimate of how fast this algorithm could be made to run in practice. In 
Section 6 we estimate the running time of that algorithm for fields GF{2") that might actually be 
used in cryptography. In Section 7 we briefly discuss the performance of the index-calculus 
algorithms in fields GF(p) for p a prime. Finally, we discuss the implications of these algorithms 
for cryptography in Section 8. It turns out, for example, that the MITRE scheme [38,59] and the 
Hewlett-Packard chip [69], both of which use the field GF(2 IV ), are very insecure. Depending on 
the level of security that is desired, it seems that fields GF{2") to be used ought to have n large, no 
smaller than 800 and preferably at least 1500. Furthermore, these values of n have to be very 
carefully chosen. On the other hand, it appears at this moment that the fields GFip), where p is a 
prime, offer a much higher level of security, with p > 2 500 adequate for many applications and 
p > 2 1000 being sufficient even for extreme situations. The fields GF(p) appear at this moment to 
offer security comparable to that of the RSA scheme with modulus of size p. 

It has to be stressed that this survey presents the current state of the art of computing discrete 
logarithms. Since the state of the art has been advancing very rapidly recently, this paper has 
already gone through several revisions. The most important of the new developments has certainly 
been the Coppersmith breakthrough in fields GF{2"). Even more recently, there has been much less 
spectacular but still important progress in fields GF{p), which is briefly described in Section 7, and 
in methods for dealing with sparse systems of equations, which are discussed in Section 5, and which 
are crucial for the index-calculus algorithms. It is quite likely that further progress will take place 
in discrete logarithm algorithms and so the cryptographic schemes described below will require the 
use of even larger fields than are being recommended right now. 
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2. Cryptographic systems related to discrete logarithms 

One of the first published cryptosystems whose security depends on discrete logarithms being 
difficult to compute appears to be an authentication scheme. In many computer systems, users' 
passwords are stored in a special file, which has the disadvantage that anyone who gets access to 
that file is able to freely impersonate any legitimate user. Therefore that file has to be specially 
protected by the operating system. It has been known for a long time (cf. [54]) that one can 
eliminate the need for any secrecy by eliminating the storage of passwords themselves. Instead, one 
utilizes a function / that is hard to invert (i.e., such that given a y in the range of /, it is hard to 
find an x in the domain of / such that f(x) - y) and creates a file containing pairs (i, /(/>/)), 
where i denotes a user's login name and p, the password of that user. This file can then be made 
public. The security of this scheme clearly depends on the function / being hard to invert. One 
early candidate for such a function was discrete exponentiation; a field GF(q) and a primitive 
element g € GF{q) are chosen (and made public), and for x an integer, one defines 

f<x)-g* . 

Anyone trying to get access to a computer while pretending to be user i would have to find p t 
knowing only the value of g r '\ i.e., he would have to solve the discrete logarithm problem in the field 
GFiq). 

Public key cryptography suffers from the defect that the systems that seem safe are rather slow. 
This disadvantage can be overcome to a large extent by using a public key cryptosystem only to 
distribute keys for a classical cryptosystem, which can then be used to transmit data at high speeds. 
Diffie and Hellman [23] have invented a key-exchange system based on exponentiation in finite 
fields. (This apparently was the very first public key cryptosystem that was proposed.) In it, a finite 
field GF(q) and a primitive element g € GFiq) are chosen and made public. Users A and B, who 
wish to communicate using some standard encryption method, such as DES, but who do not have a 
common key for that system, choose random integers a and b, respectively, with 2 < a, b < q— 2. 
Then user A transmits g" to B over a public channel, while user B transmits g b to A. The 
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common key is then taken to be which A can compute by raising the received g b to the a 
power (which only he knows), and which B forms by raising g" to the b power. It is clear that an 
efficient discrete logarithm algorithm would make this scheme insecure, since the publicly 
transmitted g" would enable the cryptanalyst to determine a, and he could then determine the key 
used by A and B. Dime and Hellman [23] have even conjectured that breaking their scheme is 
equivalent in difficulty to computing discrete logarithms. This conjecture remains unproved, and so 
we cannot exclude the possibility that there might be some way to generate g"* from knowledge of 
g" and g b only, without computing either a or b, although it seems unlikely that such a method 
exists. 

The Diffie-Hellman key-exchange scheme seems very attractive, and it has actually been 
implemented in several systems, such as a MITRE Corp. system [38,59]. Moreover, Hewlett- 
Packard has built a special purpose VLSI chip which implements this scheme [69]. However, these 
implementations have turned out to be easily breakable. It appears possible, though, to build a 
Diffie - Hellman scheme that is about as secure as an RSA scheme of comparable key size. This 
will be discussed at some length in Section 8. 

Systems that use exponentiation in finite fields to transmit information have also been proposed. 
One is based on an idea due to Shamir [37; pp. 345-346] and has been advocated in the context of 
discrete exponentiation by Massey and Omura [63]. For example, suppose user A wishes to send a 
message m (which we may regard as a nonzero element of the publicly known field GFiq)) to user 
B. Then A chooses a random integer c, 1 < c < q— 1, (c,q— 1) — 1, and transmits x — m c to B. 
User B then chooses a random integer d, 1 < d < q— 1, {d,q— 1) - 1, and transmits y— x d — m cd 
to A. User A now forms z — y c where cc' = 1 (mod q— 1), and transmits z to B. Since 

z - y c ' - m cdc ' - m d , 

B only has to compute z d to recover m, where dd' = 1 (mod q— 1), since 

z ™ m ~ m . 

In this scheme it is again clear that an efficient method for computing discrete logarithms over 
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GFiq) would enable a cryptanalyst to recover the plaintext message m from the transmitted 
ciphertext messages m c , m cd , and m d . 

Another scheme for transmission of information has been proposed by T. ElGamal [26] and is in 
essence a variant of the Diffie-Hellman key distribution scheme. User A publishes a public key 
g" € GFiq), where the field GFiq) and a primitive root g are known (either they are also 
published by A or else they are used by everyone in a given system), but keeps a secret. User B, 
who wishes to send m 6 GFiq) to A, selects k at random, 1 <fc ^q— 2 (a different k has to be 
chosen for each m) and transmits the pair ig k ,mg ak ) to A. User A knows a and therefore can 
compute g a * - ig k ) a and recover m. An efficient discrete logarithm algorithm would enable a 
cryptanalyst to compute either a or k , and would therefore make this scheme insecure also. 

T. ElGamal [26] has also proposed a novel signature scheme that uses exponentiation in fields 
GFip), p a prime. User A, who wishes to sign messages electronically, publishes a prime p, sl 
primitive root g modulo p, and an integer y, 1, which is generated by choosing a random 

integer a , which is kept secret, and setting y — g" . (The prime p and the primitive root g can be 
the same for all the users of the system, in which case only y is special to user A.) To sign a 
message m, 1 < m < p— 1, user A provides a pair of integers (/v), 1 < r,j < p— 1, such that 

g m =y r r s (modp). (2.1) 

To generate r and s , user A chooses a random integer k with ik,p— 1) — 1 and computes 

r-g*. 

Since y — g" , this means that i has to satisfy 

g m= g ar+ks ( mod/ ,) > (2,2) 

which is equivalent to 

m = ar + ks (mod p-\) . (2.3) 

Since ik, p—l) — 1, there is a unique solution to (2.3) modulo p— 1, and this solution is easy to find 
for user A, who knows a, r, and k. An efficient discrete logarithm algorithm would make this 
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scheme insecure, since it would enable the cryptanalyst to compute a from y. No way has been 
found for breaking this scheme without the ability to compute discrete logarithms, and so the 
scheme appears quite attractive. It is not as fast as the Ong-Schnorr-Shamir signature scheme [50], 
but since several versions of that scheme were recently broken by Pollard, it should not be 
considered for use at the present time. The ElGamal scheme appears to be about as secure as the 
RSA scheme for moduli of the same length, as we will see later, although it does expand bandwidth, 
with the signature being twice as long as the message. 

The presumed intractability of the discrete logarithm problem is crucial also for the Blum-Micali 
construction [9] of a cryptographically strong random number generator. What they show is that it 
is possible to compute a long sequence that is obtained deterministically from a short random 
sequence, and in which successive bits cannot be predicted efficiently from the preceding ones 
without the ability to compute discrete logarithms efficiently. 

A scheme whose security is essentially equivalent to that of the Diffie - Hellman scheme was 
recently published by Odoni, Varadharajan, and Sanders [49]. These authors proposed taking a 
matrix B over GF(p) which is the companion matrix of an irreducible polynomial fix) of degree 
m over GF(p). The Diffie - Hellman scheme would then be implemented by replacing the primitive 
element g by the matrix B, so that pairs of users would transmit matrices B" and B b to each other, 
where a and b are the two random integers chosen by the two users. However, the matrix ring 
generated by B is isomorphic to the field GF(p m ), so this scheme does not provide any additional 
security. The more sophisticated scheme proposed in [49], with the matrix B being obtained from 
several companion matrices of irreducible polynomials of degrees m x , . . . , m, can also be shown to 
be reducible to the problem of computing discrete logarithms in the fields GF(p m ') separately. 

Finally, we mention that the ability to compute quantities generalizing discrete logarithms in 
rings of integers modulo composite integers would lead to efficient integer factorization 
algorithms [5,40,45,52]. 
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3. Some special algorithms 

In this section we discuss briefly some algorithms that apparently don't work very well and then 
we discuss a very useful algorithm that works well only when all the prime divisors of q— 1 arc of 
moderate size. 

The first method we discuss was not designed as an algorithm at all. In a field GFip), p a 
prime, any function from the field to itself can be represented as a polynomial. Wells [64] has 
shown that for any u, 1 < u < p— 1, if g is a primitive root modulo p, then one can write 

p-i 

logy u = 2 (modp). (3.1) 

7-1 

This formula is clearly useless computationally, but it is interesting that such an explicit form for 
the discrete logarithm function exists. 

The Herlestam-Johannesson method [32] was designed to work over the fields GF(2"), and was 
reported by those authors to work efficiently for fields as large as GF{2 ix ). However, the heuristics 
used by those authors in arguing that the method ought to work efficiently in larger fields as well 
seem to be very questionable. As usual, GF(2") is represented as polynomials over GF(2) modulo 
some fixed irreducible polynomial fix) of degree n over GF(2). In order to compute the logarithm 
of hix) to base x, Herlestam and Johannesson proposed to apply a combination of the 
transformations 

hix) ~h(x) r , 
hix) ^x-*hix) 

so as to minimize the Hamming weight of the resulting polynomial, and apply this procedure 
iteratively until an element of low weight, for which the logarithm was known, was reached. There 
is no reason to expect such a strategy to work, and considerable numerical evidence has been 
collected which shows that this method is not efficient [13,67], and is not much better than a 
random walk through the field. However, some unusual phenomena related to the algorithm have 
been found whose significance is not yet understood [13,57]. In particular, the algorithm does not 
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always behave like a random walk, and its performance appears to depend on the choice of the 
polynomial defining the field. These observations may be due to the small size of the fields that 
were investigated, in which case their significance would be slight. 

Another approach to computing discrete logarithms in fields GF(2") was taken by Arazi 13]. 
He noted that if one can determine the parity of the discrete logarithm of u , then one can quickly 
determine the discrete logarithm itself. Arazi showed that one can determine the parity of discrete 
logarithms to base g fast if g satisfies some rather complicated conditions. Since being able to 
compute discrete logarithms to one base enables one to compute them to any other base about 
equally fast (as will be discussed in Section 5), it would suffice to find any g that satisfies Arazi's 
condition. However, so far no algorithm has been found for finding such primitive elements g in 
large fields GF(2"), nor even a proof that any such elements exist. It was shown by this author that 
primitive elements g satisfying another set of conditions originally proposed by Arazi, which were 
more stringent than those of [3], do exist in fields GF(2") for 2 < n < 5, but not for 6 < n < 9. 
Thus while the ideas of [3] are interesting and may be useful in future work, they appear to be of 
little practical utility at this moment. 

We next discuss a very important algorithm that was published by Pohlig and Hellman [51], and 
whose earlier independent discovery they credit to Roland Silver. This algorithm computes discrete 
logarithms over GF(q) using on the order of -Jp operations and a comparable amount of storage, 
where p is the largest prime factor of q— 1. In fact, there is a time-memory tradeoff that can be 
exploited, and Pohlig and Hellman [51] showed that if 

9-1 -fl (3.2) 

where the p, are distinct primes, and if r u ...,r k are any real numbers with 0 < r ( < 1, then 
logarithms over GF{q) can be computed in 

0(i>, (log<7+p/"''(l+log P''») 
i-i 

field operations, using 
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Otiogq 2 (1 +/>/''» 
i-i 

bits of memory, provided that a precomputation requiring 

0(2 (p['log pP+log ?)) 

field operations is carried out first. 

We now present a sketch of the above algorithm. Suppose that g is some primitive element of 
GF(q), x € GF(q)— {0}, and we wish to find an integer a, 1 < a < q—l, such that 

x - g" . (3.3) 

Because of the Chinese Remainder Theorem, we only need to determine a modulo each of the p"'. 
Suppose that p — p ; and n — rii for some i . Let 

a = 2 b jP J ( mod p n) • 

7-0 

To determine b 0 , we raise x to the (q—l)/p power: 

g-l q-\ q-\ 

y - X P -g" P - {q P )** , 

and note that y is one of only p elements, namely 

h° - 1, h\ h 2 k"~ [ , 

where 

h - g<*-M> . 

How one determines b 0 we will describe below. Once we have determined b 0 , we can go on to 
determine b x by forming 

(xg-^-yyp' - h b \ 

and so one. 

The value of bo is determined using Shanks' "baby steps-giant steps" technique. We are given y, 
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and we need to find m such that y — h m , 0 < m < p—l. If r € R is given, 0 < r < 1, we form 

u - rp'i . 

Then there exist integers c and d such that 

m - cu+d, 0 < d < u-1, 0 < c < p/u . 
Hence finding m is equivalent to finding integers c and d in the above ranges which satisfy 

h d = ^/T™ . 

To find such c and d, we can precompute h d (at 0 ^ d ^ n— 1 and then sort the resulting values. 
We then compute yh'" 1 for c — 0,1,..., and check each value for a match with the sorted table of 
values of y d . The precomputation and sorting take 0(p 2 logp) operations (note that these steps 
have to be done only once for any given field), and there are 0{p x ~ r ) values of yh"™ to be 
computed. 

The Silver-Pohlig-Hellman algorithm is efficient whenever all the prime factors of q— 1 are 
reasonably small. (It is most efficient in fields in which q is a Fermat prime, q — 2 m +l, for which 
there is another polynomial-time discrete logarithm method [41].) Therefore great care has to be 
taken in selecting the fields GF(q) for use in cryptography. This question will be discussed further 
in Section 8. 

We conclude this section by mentioning two interesting randomized algorithms due to 
Pollard [52]. One of them computes discrete logarithms in fields GFiq) in time roughly q 112 . The 
other algorithm finds the discrete logarithm of an element in time roughly w ui , if that logarithm is 
known to lie in an interval of size w. 

4. A subexponential discrete logarithm method 

This section presents the fastest known general purpose discrete logarithm method. The basic 
ideas are due to Western and Miller [65] (see also [47]). The algorithm was invented independently 
by Adleman [l], Merkle [46], and Pollard [52], and its computational complexity was partially 
analyzed by Adleman [1]. We will refer to it as the index-calculus algorithm. Previous authors 
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were concerned largely with the fields GF{p), where p is a prime. Here the method will be 
presented as it applies to the fields GF(2"), since they are of greatest cryptographic interest. An 
extensive asymptotic analysis of the running time of the algorithm in this and the related cases 
GFip") with p fixed and n — ► » was given recently by Hellman and Reyneri [30]. As will be 
shown below, their estimates substantially overestimate the running time of this algorithm. 

Recently some improvements on the index-calculus method as it applies to the fields GFi2") 
were made by I. Blake, R. Fuji-Hara, R. Mullin, and S. Vanstone [8] which make it much more 
efficient, although these improvements do not affect the asymptotics of the running time. Even more 
recently, D. Coppersmith [18,19] has come up with a dramatic improvement on the GF(2") version 
of the algorithm (and more generally on the GF{p n ) version with p fixed and n — * ») which is 
much faster and even has different asymptotic behavior. More recently, a whole series of 
improvements on the basic algorithm have been discovered [20]. They do not approach the 
Coppersmith algorithm in asymptotic performance, but they do apply to fields GFip) as well as 
GF(2") and they can be used to motivate Coppersmith's algorithm (although they did not perform 
this function, having come afterwards), so we briefly sketch them as well. 

The model of computation we will assume in this section is that of the Random Access Machine 
(RAM), with no parallel computation. In Section 6 we will discuss what effect lifting this 
restriction might have. The index-calculus algorithm, at least in the form presented here is a 
probabilistic method in that the analysis of its running time relies on assumptions about randomness 
and independence of various polynomials which seem reasonable but at present cannot be proved. 

Before presenting the algorithm, it is necessary to specify the notation that will be used. As 
usual, we regard the field GF{2") as the ring of polynomials over GF(2) modulo some irreducible 
polynomial fix) of degree n. Hence all elements g € GFi2") can be regarded as polynomials 
gix) over GF(2) of degree < n. 

One very important factor in analyzing the performance of the index-calculus algorithm over 
GFi2") is that polynomials over GF(2) are very easy to factor. Algorithms are known [7,16,36,55] 
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that can factor g(x) in time polynomial in the degree of gix). Since the running time of the 
index-calculus algorithm in GF(2") is much higher (of the form exp(c(n log n) in ) for the basic 
version and of the form exp(c n 1/3 (log n) 2/3 ) for the Coppersmith version), we will neglect the time 
needed to factor polynomials in this section, since we will be concerned here with asymptotic 
estimates. In Section 6 we will perform a more careful analysis for some specific values of n. 

Suppose that gix), a polynomial of degree < n over GF(2), is a primitive element of GF(2"). 
The index-calculus method for computing discrete logarithms in GF(2") with respect to the base 
gCx) consists of two stages. The first stage, which is by far the more time and space consuming, 
consists of the construction of a large data base. This stage only has to be carried out once for any 
given field. The second stage consists of the computation of the desired discrete logarithms. 

We now present the basic version of the index-calculus algorithm. The initial preprocessing 
stage, which will be described later, consists of the computation of the discrete logarithms (with 
respect to gGc)) of a set 5 of chosen elements of GF(2"). The set S usually consists of all or 
almost all the irreducible polynomials over GF(2) of degrees < m, where m is appropriately 
chosen. Once the preprocessing stage is completed, logarithms can be computed relatively rapidly. 
The basic idea is that given h — h Oc), to find a 6 Z + such that 

h = g" (mod /) , 

one chooses a random integer j, 1<j<2"— 1, and computes 

h* =h g s (mod/) , deg h* < n . (4.1) 

The reduced polynomial h* is then factored into irreducible polynomials and if all its factors are 
elements of 5, so that 

h* = h g' s JJ v 4 '"'' (mod /) , (4.2) 

then 

tog* A = 2 b v (h*)\o% g v - s (mod 2"-l) . (4.3) 

v€5 
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In the form in which we have presented it so far, it is possible to obtain a fully rigorous bound 
for the running time of the second stage. The polynomials h* in (4.1) behave like random 
polynomials over GF(2) of degree < n. Let p{k,m) denote the probability that a polynomial over 
GF(2) of degree exactly k has all its irreducible factors of degrees < m; i.e., if N(k,m) is the 
number of polynomials w(x) g GF (2)1x1 such that deg w(x) — k and 

*>(x) - JJ "« W'> d eg u, (x) < m , 

i 

then 

N(k,m) N(k,m) .n 

(4 - 4) 

We expect that if S does consist of the irreducible polynomials of degrees < m, the reduced 
polynomial h* in (4.1) will factor as in (4.2) with probability approximately p(n,m), and that 
approximately p(n,m)~ x of the polynomials of the form (4.1) will have to be generated before the 
second stage of the algorithm succeeds in finding the discrete logarithm of hbc). (This reasoning 
explains why the set 5 is usually chosen to consist of all irreducible polynomials of degrees < m for 
some fixed m ; any other set of polynomials of equal cardinality is expected to have a smaller chance 
of producing a factorization of the form (4.2).) 

The function p(n,m) can be evaluated fairly easily both numerically and asymptotically. 
Appendix A presents the basic recurrences satisfied by N(n,m) (from which p(n,m) follows 
immediately by (4.4)), and shows that as n — ► » and m — °° in such a way that 
rt ,/10 ° < m < n "/ 100 > (which is the range of greatest interest in the index calculus algorithm), 



p{n,m) -exp((l+o(l))— log,— ) . (4.5) 
m n 



Appendix B consists of a table of pin, m) for a selection of values of n and m , which was 
computed using the recurrences in Appendix A. Approximations better than that of (4.5) for 
p(n,m) can be obtained with more work, but for practical purposes the table of Appendix B is 
likely to be quite adequate and is more accurate to boot. The analysis of Hellman and Reyneri [30] 
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relied on an estimate of p(/i, m) that was essentially equivalent to 

pin, m) > exp((l+o(l)) — log, — ) , 
m n 

which while true, is much weaker than (4.5) . 

The polynomials A* are always of degree < n— 1, and have degree n—k with probability 2~*. 
Hence the probability that A* factors in the form (4.2) is better approximated by 

2 T k p{n-k, m) , 

k-i 



which is approximately 



, , (ne/m) Um 
p(n,m) 



2-(ne/m) Vm ' 

as follows from the results of Appendix A. The last quantity above is ~p(n,m) as n -*<*>, 
n 1/100 < m < n" /l0 °. Hence asymptotically this effect is unimportant, although for small values of 
n and m it can make a difference; for example, for n — 111 and m — 17 we obtain 1.51p(127, 17) 
as the correct estimate of the probability that h* will factor in the form (4.2). 

The relation (4.5) shows that the expected running time of the second stage of the algorithm, as 
it has been presented so far, is approximately 

p( B>m )-i - (-2_)<i+°<i>Wm (4. 6 ) 
m 

It was recently observed by Blake, Fuji-Hara, Mullin, and Vanstone [8] that this stage can be 
speeded up very substantially, although at the cost of not being able to provide an equally rigorous 
bound for the running time. Their idea is not to factor the polynomial ft* defined by (4.1) directly, 
but instead to find two polynomials w l and w 2 such that 

ft* = — (mod /) , (4.7) 

and such that deg w,- < n/2 for i — 1,2. Once that is done, the w, are factored, and if each is 
divisible only by irreducibles from S , say 
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w, - n v c - 0> , (4.8) 

then 

I°8g ft = 2 (c v (1)— c v (2))log f v — s (mod2"-l). (4.9) 

The advantage of this approach is that if the w t behave like independently chosen random 
polynomials of degree — n/2, as seems reasonable, then the probability that both will factor into 
irreducibles of degrees ^ m is approximately p([n/2],m) 2 , and therefore the expected number of 
polynomials h* that have to be tested is on the order of 

p Un/llm)- 2 - (-2-) U+oWWm . (4.10) 
2m 

This is smaller than the quality in (4.8) by a factor of approximately 2 nlm , and so is very important, 
provided the w,- can be generated fast. 

The polynomials w ( can be generated very rapidly (in time polynomial in n) by applying the 
extended Euclidean algorithm [36,42] to h* and /. This algorithm produces polynomials a and /S 
over GF(2) such that ah* + fif — 1, the greatest common divisor of h* and /, and such that 
deg a < deg/ - n, deg f} < deg h* < n. To do this, the algorithm actually computes a sequence 
of triples of polynomials (.ctjJ3j,yj) such that 

ctjh'+pjf -yj , (4.11) 

where the final («,,,3 ; -,7,) — (a,/3,l), deg 71 > deg 72 > and where deg aj < n—l — deg yj. If 
we choose that j for which deg yj is closest to n/2, then — yj and w 2 — a, will satisfy the 
congruence (4.7), and their degrees will be relatively close to n/2 most of the time. These W) and 
w 2 are not completely independent (for example, they have to be relatively prime), but on the other 
hand their degrees will often be less than n/2, so on balance it is not unreasonable to expect that the 
probability of both having a factorization of the form (4.8) should be close to p(h/2], m) 2 . 

The above observations justify the claim that the second stage of the index-calculus algorithm, as 
modified by Blake et aL, ought to take on the order of p ([n/2],m) _2 operations on polynomials of 
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degree < n over GF{2), where each such polynomial operation might involve on the order of n 3 bit 
operations. For small values of n, p([n/2],m) can be found in Appendix B, while for very large n, 
the quantity on the right side of (4.10) ought to be a reasonable approximation to the running time 
of the second stage. 

It is clear that the running time of the second stage can be decreased by increasing m. Doing 
that, however, increases both storage requirements and the running time of the first (preprocessing) 
stage of the algorithm. It is well known (see Appendix A) that the number of irreducible 
polynomials of degree < m is very close to m~'2 m+1 , and for each one it is necessary to store 
roughly n bits, namely its logarithm (which is in the range [1,2"— 1]). This already puts a limit on 
how large m can be, but this limit is not very stringent, since these discrete logarithms can be stored 
on slow storage devices, such as tape. This is due to the fact that they are needed only once in the 
computation of each discrete logarithm by stage two, when both of the polynomials w f are 
discovered to have factorizations of the form (4.8). Thus this argument does not exclude the use of 
values of m on the order of 40. 

A much more severe limitation on the size of m and n is placed by the preprocessing first stage, 

which we now discuss. The basic idea there is to choose a random integer s, 1 < s < 2"— 1, form 
the polynomial 

h* = g 1 (mod/), deg h* < n , 
and check whether h* factors into irreducible factors from 5. If it does, say 

h * _ jj „*.<*•> f (4.12) 

then we obtain the congruence 

s = 2 MA*) log, v (mod 2"-l) . (4.13) 

Once we obtain slightly more than |S| such congruences, we expect that they will determine the 
logg v, v€5, uniquely modulo 2"— 1, and the first stage will be completed. There is a complication 
here in that 2"— 1 is not in general a prime, so that solving the system (4.13) might require working 
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separately modulo the different prime power divisors of 2"— I and using the Chinese Remainder 
Theorem to reconstruct the values of \og g v. This complication is not very serious, and if it does 
occur, it should lead to a speedup in the performance of the algorithm, since arithmetic would have 
to be done on smaller numbers. In any case this complication does not arise when 2"— 1 is a prime. 
A general linear system of the form (4.13) for the log^ v takes on the order of |S| 3 steps to solve if 
we use straightforward gaussian elimination. (We neglect here multiplicative factors on the order of 
0(n 2 ).) This can be lowered to Isl' for r — 2.495548... using known fast matrix multiplication 
algorithms [21], but those are not practical for reasonably sized |S|. The use of Strassen's matrix 
multiplication algorithm [10] might be practical for large n, and would lower the running time to 
about |S| r with r - log 2 7 — 2.807... . However, the systems of linear equations that arise in the 
index-calculus algorithms are quite special in that they are quite sparse, (i.e., there are only a few 
nonzero coefficients). It was only recently discovered that this sparseness can be effectively 
exploited, and systems (4.13) can be solved in time essentially |S| 2 . This development will be 
described in Section 5.7. 

Generation of |s| congruences of the form (4.13) takes about 

|S I p(n,m)~ x 

steps if we use the algorithm as described above. If instead we use the Blake et al. modification 
described in connection with the second stage, in which instead of factoring h* right away, we first 
express it in the form (4.7) with deg w, < n/2, i — 1,2, and then factor the w,-, then generation of 
|S| of the congruences (4.13) ought to take on the order of 

|S | pdn/2], m)~ 2 (4.14) 

steps, where each step takes a polynomial number (in n) of bit operations. Thus the first stage of 
the algorithm takes on the order of 

|S | p(,ln/2],m)- i +\S\ 2 (4.15) 

steps. Hence using our approximations to p(k, m) and |s| and discarding polynomial factors yields 
an estimate of the running time of the form 
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2 m ( JL.)nlm + 2 2m (4 J 6 ) 

2m 

(To be precise, the exponents in (4.16) should be multiplied by l+o(l).) The quantity 

2m 

is minimized approximately for m — C\{n log t n) lft , where 

ci - (2 lofo2) _l/2 - 0.8493... , 

in which case 

2 m(JL-y/m _ ((c 2 + 0 (i)) V« log, * ) as n - °° , (4.17) 
2m 

where 

c 2 - c, log 2 2+(2 Cl )-' - (2 log, 2) 1/2 - 1.1774... . 

For m ~ C[(/i log,n) 1/2 , 2 2 " 1 is also of the form (4.17), so the time to solve the system of linear 
equations is of the same asymptotic form as the time needed to generate them. 

If we modify the notation used by Pomerance [53] in his survey of integer factorization and let 
M — MM represent any quantity satisfying 

M - exp((l+o(l)) Ot log e n) 1/2 ) as n — °° , 

then our analysis shows that the first stage of the basic index-calculus algorithm can be carried out 
in time A/ 1178 . 

The time required by the second stage of the index-calculus algorithm to compute a single 
discrete logarithm is 

This running time estimate is much lower than for the first stage. The space requirements of the 
second stage are essentially negligible. It is necessary to have access to the logarithms of the 
elements of S , which requires 
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exp ((<:, log, 2+o(D) (n log, n) 1/J ) 

bits of storage, but these logarithms are needed only once, and so they can be stored on a cheap 
slow-access device, such as tape. 

Our estimates for the running time of the basic index-calculus algorithm for the fields GF(2") 
are substantially smaller than those of Hellman and Reyneri [30]. This is due primarily to our use 
of a more accurate estimate for p (n, m). The Blake et al. innovation which replaces the polynomial 
h* by the quotient of two polynomials, each of roughly half the degree of h* turns out not to affect 
the asymptotic estimate, since it improves the running time only by the factor T !m , which is M o(li 
for m ~c(n log, n) in . However, for values of n that might be of practical interest, say 
200 < n < 1000, and best possible choices of w, this factor 2" /m is very important, speeding up the 
algorithm by between two and ten orders of magnitude. 

We next describe several algorithms that improve on the asymptotic performance of the basic 
index-calculus algorithm to an extent greater than the Blake et al. [8] modification. They are 
nowhere near as fast as the Coppersmith version, since they still ran in time M° for some constant 
c > 0, but they have the property that c < c 2 - They are presented here very briefly in order to 
show the variety of methods that are available, and also to motivate the Coppersmith algorithm. 
Like the Coppersmith method, these variants depend on the polynomial fbc) that defines the field 
being of a somewhat special form, namely 

fbc)-x n +f l bc), (4.18) 

where the degree of / \(x) is small. Since approximately one polynomial of degree n out of n is 
irreducible (cf. Appendix A), we can expect to find fix) of the form (4.18) with 
deg f \(x) < log 2 n. (The j \{x) of smallest degrees for which x" + f \bc) is irreducible for some 
interesting values of n are / \bc) — x + \ for n - 127, f iix) — x 9 +x 6 +x 5 +x 2 +x+l for n — 521, 
/,0c) - x 9 +x 7 +x 6 +x 3 +a: + 1 for n - 607, and /, be) - x u +x 9 +x*+x 5 +x i +x 1 +x+l for 
n = 1279.) As is explained in Section 5.2, this is not a severe restriction, since being able to 
compute logarithms rapidly in one representation of a field enables one to compute logarithms in any 
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other representation just about as fast. 

The first algorithm wc discuss is one of several that have the same asymptotic performance. 
(The other algorithms in this group are described in [20], at least in the form applicable to fields 
GFip).) It is basically an adaptation of the Schroeppel factorization algorithm [20,53]. We assume 
that fix) is of the form (4.18) with deg/Gc) < nil, say. This time we let 5 - S x U S 2 , where 
5( consists of the irreducible polynomials of degrees <m, and S 2 of polynomials of the form 

x k + gix), deggix) < m, (4.19) 
where k — \n/l] is the least integer > nil. Consider any h x ix), h 2 (x) t S 2 . If 

hibc) - x k + hSx), i — l,2, 

then, if we write Ik — n+a, a — 0 or 1 , we have 

h x ix) h 2 ix) - x 1 * + x k ih x ix) + h 2 ix)) + h x ix)h 2 (x) 

- x a (fbc) + /,(*)) + x*(A,0c)+A 2 (x)) + h x (x)h 2 {x) (4.20) 
= x k (hiix)-¥h 2 (x)) + h y {x)h 2 (x) +x"fiix) (mod fix)), 

and so the polynomial on the right side of (4.20) is of degree roughly nil (for m — o in), as will be 
the case) . If that polynomial, call it h ' ix ) , factors into irreducible polynomials of degrees < m , say 

h'ix) -nvW M ", 

VtS, 

then (4.20) yields a linear equation for the logarithms of the elements of S : 

log, h x + log s h 2 = 2 b v ih') \og g v (mod 2"-l) . (4.21) 

vtS, 

Since each of S x and S 2 has on the order of 2 m elements, once we obtain about l m equation of the 
form (4.21), we ought to be able to solve them and obtain the discrete logarithms of the elements of 
Si, which is what is desired. Now there are approximately I 2 " different pairs h x ,h 2 that can be 
tested, and if the h* behave like random polynomials of degrees about nil, each will factor into 
irreducibles of degrees </n with probability approximately pi[nll], m). Hence we will have to 
perform about 2 2 " 1 polynomial time factorizations and obtain about l 2 ™ piln/1], m) equations of 
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the form (4.21). Therefore we need 

2 2 " 1 p([n/2], m) > 2 m , (4.22) 

and the work we do is on the order of 2 2 " 1 , since the linear equations can also be solved in this much 
time. To minimize the running time, we choose the smallest m for which (4.22) is satisfied, and a 
brief computation shows -that the right choice is m — c 3 (n log, n) l/2 as «—►«>, with 
c 3 — (4 log, 2)~ l/2 , so that the running time of the first stage of this algorithm is 

M c ' - Af 0-8325 - , c 4 - (log, 2) 1/2 . (4.23) 

The improvement in the exponent of M is the running time estimate of the first stage from 
1.177... in the basic algorithm to 0.832... in the version above was due to the fact that this time, in 
order to obtain a linear equation we only had to wait for a single polynomial of degree about nil to 
split into low degree irreducibles, instead of a single polynomial of degree n or two polynomials of 
degree n/2. In the next algorithm, we obtain a further improvement by reducing to the problem of 
a single polynomial of degree about n/3 splitting into low degree irreducibles. The method is an 
adaptation of the so-called "cubic sieve" for factoring integers, which was invented by J. Reyneri 
some years ago and rediscovered independently several times since then (see [20] for further 
details). This time we assume that f(x) has the form (4.18) with deg /",(*) < n/3. We set 
k — f n/3] and let S — U S 2 with 5] consisting of the irreducible polynomials of degrees <m 
and S 2 of polynomials of the form x k + h(x), deg h{x) < m. We consider pairs A]Cx) and 
h 2 (jc) with each A, Or) of degree </m, and let 

h'bc) = Gr*+/i,0c)) (.x k +h 2 (x)) {x k +h x {x)+h 2 {x)) (mod /(*)), (4.24) 

0 ^ deg h* (x) < n. We then have 

h'bc) S x 3k + x k (.h\+h x h 2 +hl) + /i 1 A 2 (A 1 +A 2 ) (mod/), (4.25) 

and since 

x 3 * = xViCx) (mod fix)) 

for some a, 0 < a < 2, we find that h' (x) is of degree about k ~ n/3 if m — o(n). If h'bc) is 
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divisible only by irreducibles in St, we obtain a linear equation relating logarithms of three elements 
of S2 to those of elements of S^ There are about 2 2 " 1 pairs hi(x)Jt 2 (x) to test, and so if the h'(x) 
behave like random polynomials of degrees ~ n/3, we expect to obtain about 2 2 " 1 p([n/3], m) 
equations. Since there are about 2 m elements of S , we therefore need to choose m so that 

2 2m p([n/3], m) > 2 m . (4.26) 

The time to run the algorithm is (within polynomial factors of n) 2 2 " 1 , both to form and factor the 
polynomials h'(x), and to solve the system of linear equations. A simple computation shows that 
the smallest m that satisfies (4.26) has m — c s (n log e n) 1/2 , where c 5 — (6 log, 2)" xl2 , and the 
running time of the first phase of this algorithm is 

M*' - M° « 797 - , where c s - (2 (log, 2)/3) ,/2 . (4.27) 

The running times of the second phases of the two algorithms presented above can be improved 
beyond what is obtained by using the strategy of the basic variant, but we will not discuss that 
subject. Details can be found in [20], in the case of fields GFip), p a prime, and it is easy to adapt 
those methods to the fields GF{2"). 

The variants of the index-calculus algorithm presented above raise the question of whether they 
can be generalized so as to give even faster algorithms. The obvious idea is to use more than three 
factors and choose those factors in such a way that the product will reduce modulo fix) to a 
polynomial of low degree. A very clever way to do this was found by Coppersmith [18,19]. 
However, his work was motivated by different considerations. 

We next present the Coppersmith variation [18,19] on the index -calculus algorithm. Unlike the 
basic algorithm, which runs in time roughly of the form exp(« 1/2 ) in fields GF(2"), this new 
variation runs in time which is roughly of the form exp(/j 1/3 ). Unlike the basic version, though, the 
Coppersmith variant does not apply to the fields GFip) with p prime. Just like the algorithms 
presented above, the Coppersmith algorithm relies on several unproved assumptions. Since these 
assumptions are supported by both heuristic reasoning and empirical evidence, though, there seems 
to be no reason to doubt the validity of the algorithm. 
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The Coppersmith algorithm was inspired to a large extent by the Blake et al. [8l method of 
systematic equations, which is explained in Section 5.1, and which yields many linear equations 
involving logarithms at very low cost. Like the systematic equations method, it depends on the 
polynomial fix) being of a the special form (4.18) with / \(x) of very low degree. 

We now discuss the first stage of the Coppersmith variant of the index-calculus algorithm. We 
assume that the field GF{2") is defined by a polynomial fbc) that is of the form (4.18) with 
deg f \(x) < log 2 /i. The first stage consists again of the computation of logarithms of v 6 S, 
where S consists of irreducible polynomials of degrees < m, but now m will be much smaller, on 
the order of n 1/3 (log„ n) 2 ^ 3 . We will also assume that g(x) € S, since it follows from Section 5.2 
that this restriction does not affect the running time of the algorithm. 

The essence of the Blake et al. [8] improvement of the basic index-calculus algorithm is that it 
replaced the factorization of a single polynomial of degree about n by the factorization of two 
polynomials of degrees about n/2 each. The essence of the two improvements discussed above was 
that they rely on the factorization of polynomials of degrees about n/2 and n/3, respectively, into 
low degree irreducibles. The essence of the Coppersmith [18,19] improvement is that it instead 
relies on factorization of two polynomials of degrees on the order of /i^ 3 each. The lower the degree 
of the polynomials being factored, the greater the probability that they will consist only of small 
degree irreducible factors. To accomplish this lowering of the degree, take k € Z + (k will be 
chosen later so that 2* is on the order of n I/3 (log«, n) _1/3 ) and define 

h~[n2~ k \+\. (4.28) 

Pick u x {x) and u 2 (x) of degrees < B (B will be chosen later to be on the order of n 1/3 (log, n) y3 ) 
with («iGc), u 2 (x)) — 1, and set 

W[(jc) - u } (x)x h + u 2 (x) . (4.29) 

Next let 

w 2 (x) = w,Gt) 2 ' (mod/(x)) , deg w 2 (x) < n . (4.30) 
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We then have 

w 2 (x) = i/jOc 2 *)** 2 * + u 2 (x*) (mod/Gc)) , 

- u l (x*)x k *-'fi(x) + uzbc*) . (4.31) 

If B and 2 k are on the order of n 1/3 , then A is on the order of n m , h2 k —n is on the order of « 1/3 , 
and so both w^x) and w 2 bc) have degrees on the order of n vi . Since 

logy w 2 (x) = 2* log ? tv,(x) (mod 2"-l) , 

if both vl>\(.x) and w 2 (jc) have all their irreducible factors in S we obtain a linear equation for the 
logy v, v € S. (The restriction (u^bc), u 2 (x)) — 1 serves to eliminate duplicate equations, since 
the pairs i^Oc), u 2 (.x) and ui(jc)f (x), u 2 (x)t(x) produce the same equations.) 

We next consider the Coppersmith algorithm in greater detail. We need to obtain about \S\ 
linear equations for the log y v , v 6 S. Now 

deg WjOt) < B+h , 

deg w 2 (x) < B ■ 2 k + 2* + deg /,(*) , 

so if WiCx) and w 2 (jc) behave like independent random polynomials of those degrees, then the 
probability that both wjGc) and w 2 (x) have all their irreducible factors in 5 is approximately 

p(B+h, m)p(£2 k +2 k , m) . (4.32) 

Of course w\(x) and w 2 (x) are neither independent nor random. However, as far as their 
factorizations are concerned, it does not appear unreasonable to expect that they will behave like 
independent random polynomials, and this does turn out to hold in the case n — 127 studied by 
Coppersmith [18,19]. Therefore to obtain |S| — m~ x 2 m+1 equations we need to satisfy 

2 2B p(M+h, m)p(B2 k +2 k , m) >2 m . (4.33) 

The work involved consists of generating approximately I 23 polynomials w x {x) and testing whether 
both w x ix) and w 2 0c) have all their irreducible factors in S . Once these roughly 2 m equations are 
generated, it becomes necessary to solve them, which takes about 2 2 " 1 operations. The estimate 
(4.5) shows that to minimize the running time, which is approximately 
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2 2B + 2 2m ^ 



subject to (4.33), it is necessary to take 



2* 


- a n Ui (log, «)-' /3 , 


(4.34a) 


m 


- /S n 1/3 (log, n) M , 


(4.34b) 


B 


~ 7 » 1/3 (log, n) w , 


(4.34c) 



as n — co, where a, 0, and y are bounded away from both zero and infinity. Under these conditions 
we find that the running time of the first stage of the algorithm is 

K 27 ^ 2 + K Vl0S - 2 , (4.35) 

where K — Kin) denotes any quantity that satisfies 

K - exp ((l+o (1)) n in (log e n) in ) , (4.36) 

and this is subject to the condition 

2 7 log, 2 - — - -f£ > (l+o (l)))0 log, 2 . (4.37) 
jap jp 

Let us now regard a, /3, and y as continuous variables. Since the estimate (4.35) does not depend 
on a, we can choose a freely. The quantity on the left side of (4.37) is maximized for 



a — y 



1/2 , (4.38) 



and for this choice of a, (4.37) reduces to (after neglecting the l+o (1) factor) 

ly log, 2 > 0 log, 2 + j rW n ■ (4.39) 

To minimize the asymptotic running time of the algorithm, we have to choose $ and y so that (4.39) 
is satisfied and max (2y, 20) is minimj2ed. A short calculation shows that the optimal choice is 
obtained when 7 — # and equality holds in (4.37), which yields 

8 - 2 2/3 3- 2/3 (log, 2)~ 2/3 - 0.9743... . (4.40) 

The running time for this choice is 
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gWlog. 2 _ ^-1.3507... 

and the space required is K s log - 2 - ^- 6753 ~. 

The analysis above assumed that a, fi, and 7 could all be treated as continuous variables. This is 
essentially true in the case of $ and 7, but not in the case of a, since (4.34a) has to hold with k a 
positive integer. Since the analysis is straightforward but tedious, we do not discuss the general 
situation in detail but only mention that the running time of the Coppersmith algorithm and the 
space required are of the form K u , where u is a function of log 2 0i 1/3 (log e n) 2n ) which is periodic 
with period 1. The minimal value of u is 2(1 log e 2, with /? given by (4.40), while the maximal 
value of u is 3 w iS log, 2 — (2.08008...) /3 log, 2. Thus we are faced with the not uncommon 
situation in which the running time of the algorithm does not satisfy a simple asymptotic relation 
but exhibits periodic oscillations. 

We next discuss the second stage of the Coppersmith algorithm, which computes logarithms of 
arbitrary elements. It is somewhat more involved than the second stage of the basic version of the 
algorithm. If A is a polynomial whose logarithm is to be determined, then Coppersmith's second 
stage consists of a sequence of steps which replace A by a sequence of polynomials of decreasing 
degrees. The first step is similar to the second stage of the basic algorithm and consists of selecting 
a random integer s, forming ft* as in (4.1), and checking whether ft* has all its irreducible factors 
of degrees < /i 2/3 (log, n) 1/3 , say. (In practice, one would again replace A* by wjw 2 , where the 
degrees of the w, are < ft/2, and the bound on the degrees of the irreducible factors might be 
somewhat different, but that is not very important.) The probability of success is approximately 
pin, « 2/3 (log e n) 1/3 ), so we expect to succeed after 

pin, « w 0og, «) ,/3 )-' - K l0& 3 - K iJm - (4.41) 

trials. When we do succeed with some value of s, we obtain 

h == g -> TJ«, (mod/ (*)) , 

i 

where the u { are of degrees ^ n 2 ^ 3 (log n) ]/3 , and there are < n of them (since their product is a 
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polynomial of degree < n). This then yields 

log, h = —s + 2 log, u, (mod 2"-l) , (4.42) 
i 

and so if we find the log, u u we obtain log, h . 

Suppose next that u is a polynomial of degree < B < n 2 ' 3 (log n) l/3 (say one of the u,- above, 
in which case B — n 111 (log n) 1/3 ). We again reduce the problem of computing log, u to that of 
computing logarithms of several polynomials of lower degrees. We select 2* to be a power of 2 close 
to (n/B) l/1 (precise choice to be specified later), and let 

d - [n2~ k \ + 1 . (4.43) 

Consider polynomials 

WjC*) - v x (x)x d + v 2 Gc) , (4.44) 
where deg v x (x), deg v 2 0c) < b (b to be specified later), (vjCx), v 2 Gr)) — 1, and u{x)\wiix). If 
w 2 (x) = Wl (x)* (mod /(*)) , deg w 2 (x) < n , (4.45) 

then (for b small) 

h< 2 Gc) - v i (x 2 ')x d2k - n f ] (x) + VjU 2 *) , 

and thus W[(x) and w 2 (x) both have low degrees. If w x (.x)/u(x) and w 2 (x) both factor into 
irreducible polynomials of low degree, say 

Wi(x) — u(x) JJ 5j(x) , 

w 2 (x) - JJ r y Gc) , 
j 

then we obtain 

2 log, r y Oc) = log, w 2 Gc) -= 2* log, w,(fc) 

j 

= 2 k (log, u be) + 2 log? (mod 2"-l) . 

i 

This reduces the computation of Iog^ u to the computation of the Iog g tj and the log g w, . We next 
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analyze how much of a reduction this is. The probability that w t Cx)/uCc) and w 2 bc) both factor 
into irreducible polynomials of degrees < M is approximately 

p (d+b -deg u(jc), M) p(62 t +2*+deg/ 1 (x), M) , 

and the number of pairs of polynomials v x {x), v 2 0c) of degrees < b with (v^), v 2 Cc)) — 1 and 
uCx) | vt^Gc) is approximately 

226 -deg uGc) 

(Divisibility by u(x) is determined by a set of deg u(x) linear equations for the coefficients of 
VjGc) and v 2 Gc).) Hence to find Vi(x) and v 2 Cx) such that w,Gc:) and w 2 (x) factor in the desired 
fashion we select b to be approximately 

(n 1/3 (log, « ) M (log, 2)"' + deg » 0c))/2 , (4.46) 

and select 2* to be the power of 2 nearest to (n/b) 1/2 . We then expect to obtain the desired 
factorization in time 

tf-exp((l+o(l))/i 1/3 (log, n) 2/3 ) , 
with M being the largest integer for which 

Kp(d+b-deg u(x), M)p(b2 k +2 k +degf l (x), M) > 1 . (4.47) 

If B ~ it 2 ' 3 (log, n) 1/3 (as occurs in the first step of the second stage of the Coppersmith 
algorithm), we find that we can take M ~ cn l/2 (log e n) yi , and if B — <?n l/2 (log, n) 3/2 , then we can 
take M ~ c'n 5/12 (log, n) 25712 . More generally, it is also easy to show that if B > n l/3 (log, n) 2/3 , 
say, then we can take M < B/l.l, so that each iteration decreases the degrees of the polynomials 
whose logarithms we need to compute by a factor > 1.1, while raising the number of these 
polynomials by a factor < n. When B < (l.l) _1 n 1/3 (log ( n) 273 , the polynomial uOc) is already in 
our data base, and we only need to read off its logarithm. Thus we expect to perform 

< exp(c"(log«) 2 ) -K oM 

iterations of this process, each iteration taking K steps. 
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We have shown that the second stage of the Coppersmith algorithm can compute individual 
logarithms in time K tMt ~. In fact, with slightly more care the exponent of K can he lowered 
substantially. We do not do it here, since the main point we wish to make is that as in the basic 
algorithm, the second stage of the Coppersmith variant requires very little time and negligible space, 
compared to the first stage. 

This section was devoted almost exclusively to the asymptotic analysis of the index-calculus 
algorithms on a random access machine. In Section 6 we will consider the question of estimating 
the running time of this algorithm for some concrete values of n , including the possible effects of the 
use of parallel processors. In the next section we will discuss several variations on the algorithm as 
it has been presented so far. 

5. Further modifications of the index-calculus algorithm 

Section 4 was concerned largely with the asymptotic behavior of the index-calculus algorithm in 
fields GF(2"). This section will discuss several technical issues related to both the basic algorithm 
and the Coppersmith version. The most important of them is that of efficient solutions to systems of 
linear equations, discussed in Section 5.7. The fact that the equations that occur in index-calculus 
algorithms can be solved fast is a recent discovery which affects the estimates of the running time 
both asymptotically and in practice. 

This section also presents a variety of modifications of both the basic algorithm and of the 
Coppersmith version, which do not affect the asymptotics of the running times very much, but which 
are very important in practice. The most significant of these variations is that of Section 5.6. That 
variation speeds up the first phase of the Coppersmith algorithm by two or three orders of 
magnitude in fields that might be of practical interest. The variations presented here are not 
analyzed in exhaustive detail because their exact contributions depend on the hardware and software 
in which the algorithm is implemented. The purpose here is to obtain rough estimates of the 
performance of the algorithm with the best currently conceivable techniques. These estimates will 
be used in the next section to evaluate how large n ought to be to offer a given level of security. 
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S.l Systematic equations 

The first stage of the index -calculus algorithm involves the collection of slightly over \S | linear 
equations for the logarithms of the polynomials v 6 S and then the solution of these equations. The 
reason the Coppersmith version is so much faster than the Blake et al. version is that by dealing 
with pairs of polynomials of degree around n 2lz as opposed of degree about «/2, it increases the 
probability of finding an additional equation for the log ? v,v 6S. In fact, for the fields GFil"), 
Blake et al. had some methods for obtaining large numbers of equations at very low cost per 
equation. They called the equations obtained this way "systematic." They were able to obtain 
upwards of one half of the required number of equations that way, but never all. Their methods in 
fact inspired Coppersmith to invent his version of the algorithm. We will now explain the Blake et 
al. methods and explore their significance. These methods work best when the polynomial fix) 
which defines the field has the special property that it divides some polynomial of the form 

x* + /,0c) , (5.D 

where the degree of /iOc) is very small, and where the primitive element g — g(x) — x. In 
general, it appears likely that the degree of / 1 ix) will be relatively high, which will make these new 
approaches of Blake et al. of little significance. In some cases, however, these methods produce 
startling improvements. This happens, for example, in the case of n — 127, when we take the 
defining polynomial to be fix) — x nl +x+l, since here 

xfix) - x 2 '+x 2 +x , 

and f\ix) has degree 2. 

The first of the observations made by Blake and his collaborators is that if / \ix) is of low 
degree, the polynomials x r , 1 < r < n—\, will often have low degree when reduced modulo fix). 
When this degree is low enough to make that polynomial a product of polynomials from S, we 
obtain a linear equation of the desired kind, since log x x y - 2'. As an example, for n — 127 and 
fix) - x nl +x + \, we find that for 7 < i < 126, 
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and repeated application of this result shows that each x r , 0 < r ^ 126, can be expressed in the 
form 

6 

2 (iX* , e, - 0, 1 , 

(-0 

and so the logarithms of all such elements can be quickly computed, and are of the form 2 r for some 
r. Furthermore, since 

\+x 7 - i\+xV - x nrr , 
one can also obtain the logarithms of all elements of the form 

6 

«-l + 2 *i x * ■ *< - 0, 1 . 
(-0 

In particular, these will include the logarithms of 31 nonzero polynomials of degrees < 16. In 
general, for other values of n, f \(x) will not have such a favorable form, and we can expect fewer 
usable equations. 

Another observation of Blake et al., which is even more fruitful, is based on the fact that if u Gc) 
is any irreducible polynomial over GF(2) of degree d, and vGt) is any polynomial over GF(2), then 
the degrees of all irreducible factors of u (vOc)) are divisible by if. To prove this, note that if wCc) 
is an irreducible factor of u(vGc)), and a is a root of h-Gc) - 0, then v(ot) is a zero of uGc), and 
thus is of degree d over GF(2). Since vGc) has its coefficients in GF(2), this means that a must 
generate an extension field of GF{2 d ), which means that its degree must be divisible by d, as we 
wished to show. 

To apply the above fact, Blake et a!, take an irreducible u(x) of low degree, u(x) € S, and 
note that by (5.1), 

u(x) 2 ' = u(* 2 ') -u(/,Cx)) . 

If u (/, (x)) factors into polynomials from S, one obtains another equation for the logarithms of the 
v £ S. The result proved in the preceding paragraph shows that all the factors of u(f \{x)) will 
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have degrees divisible by deg uGc), and not exceeding (deg«0c)) (deg/ t (x)). Blake and his 
collaborators noted that in many cases all the irreducible factors have degrees actually equal to 
deg u be). We will now discuss the likelihood of this happening. 

Suppose that 

fix) | x lk +f,{x) . (5.2) 

We can assume without loss of generality that not all powers of x appearing in f \ix) are even, 
since if they were, say f l bc) - f 2 ix 2 ) - / 2 ix) 2 , we would have 

fix) | x*+f 2 ix) 2 - ix 2 '"+f 2 ix)) 2 . 

and since fix) is irreducible, we would obtain 

fix) | x^'+fiix) , 

and we could replace / \ix) by f 2 ix) in (5.2). Therefore we will assume f \ix) does have terms of 
odd degree, and sof \ix) 0. 

The polynomial 

F d ix)-x 2 '+x (5.3) 

is the product of all the irreducible polynomials of all degrees dividing d. When we substitute 
f ] ix) for x in F d 0c), we obtain 

F d if,ix)) -fiix^+f.ix) - fiix^+fiix) . (5.4) 

But 

fiix^+fiix) s f,ix)+f { ix) - 0 (mod F d ix)) , 

and so each irreducible polynomial whose degree divides d has to divide some uif iix)) for another 
irreducible uix) of degree dividing d. Since 

-^FAfiix)) -f\ix) 

by (5.4), only a small number of irreducibles can divide Fjif \ix)) to second or higher powers. 
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Hence we conclude that at most only about one in deg f ibc) of the irreducible polynomials u Cx) of 
degree d can have the property that n(/,(x)) factors into irreducible polynomials of degree d. 
Thus if we have only one pair (.k,f x ix)) for which (5.2) holds, then we can expect at most about 
|5|/(deg/i(x)) systematic equations from this method. We also obtain useful equations from all 
u(x) for which deg u if ibc)) < m, but there are relatively few such polynomials ubc). If 
deg^Cx) - 2 (as it is for n - 127, /Cx) - x 127 +x+l), it is easy to see that almost exactly one 
half of the irreducible polynomials ubc) of a given degree d will have the property that uif x bc)) 
factors into irreducible polynomials of degree d. If deg/jCx) > 2, the situation is more 
complicated, in that the uif \bc)) can factor into products of irreducible polynomials of several 
degrees, and so the number of useful equations obtained this way is typically considerably smaller 
than |S|/(deg /,(*)). 

One factor which is hard to predict is how small can one take the degree of f ibc) so that (5.2) 
holds for some k and some primitive polynomial fix) of degree n. The situation for n — 127, 
where we can take /[Cx) — x 2 +x, is extremely favorable. For some n, it is possible to take 
deg/](x) — 1. Condition (5.2) with f\(x) — x is not useful, since it holds precisely for the 
irreducible polynomials of degrees dividing k, and the resulting discrete logarithm equations simply 
say that 

2* log^v = logjV (mod 2 d ~l) 

for d\k, d -degv(x), which is trivial. Condition (5.2) with / \ix) - x+1 is somewhat more 
interesting. If it holds, then 

fix) I x z "+x , 

and thus deg/Cx) | 2k. On the other hand, because of (5.2), deg/(x) H k. Thus this condition 
can hold only for even n, which, as we will argue later, ought to be avoided in cryptographic 
applications. For these even n, however, it gives relations of the form 

2" /2 log x v = log^v* (mod 2"-l) , 

for all irreducible v(x), where v'Cx) — v(x+l), and then gives about |S|/2 useful equations. 
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In many cases it is impossible to find fix) of a given degree such that (5.2) holds for some 
y i Cc) of low degree. When such fix) can be found, it sometimes happens that (5.2) holds for 
several pairs ik,f x ix)). For example, when n — 127, fix) - x l27 +x+l, condition (5.2) holds for 
k - 7, /,0c) - x 2 +x and also for k - 14, / t Cx) - x 4 +x. 

The significance of these systematic equations is not completely clear. Our arguments indicate 
that unless (5.2) is satisfied with f \ix) of low degree, few systematic equations will be obtained. 
No method is currently known for finding primitive fix) of a given degree n for which (5.2) is 
satisfied with some f \ix) of low degree. It is not even known whether there exist such fix) for a 
given n. Even in the very favorable situation that arises for n — 127, fix) — x iV +x+l, Blake et 
al. [8] found only 142 linearly independent systematic equations involving the 226 logarithms of the 
irreducible polynomials of degrees < 10. (They reported a very large number of linear 
dependencies among the systematic equations they obtained.) Thus it seems that while systematic 
equations are a very important idea that has already led to the Coppersmith breakthrough and 
might lead to further developments, at this time they cannot be relied upon to produce much more 
than \S |/2 equations, and in practice probably many fewer can be expected. 

5.2 Change of primitive element and field representation 

The Coppersmith algorithm requires that the polynomial fix) that generates the field GFil") 
be of the form (4.18) with / \ix) of low degree. Section 4.1 showed that if the fix) satisfies (5.2) 
with f\ix) if low degree, and x is a primitive element of the field, one can obtain many systematic 
equations. On the other hand, it is often desirable that fix) satisfy other conditions. For example, 
if fix) is an irreducible trinomial, 

fix) - x"+x k + \ , (5.5) 

where we may take k < n/2, since x"+x"~ k + l is irreducible if and only if fix) is, then reduction 
of polynomials modulo f ix) is very easy to implement; if 

2/1-2 

hix) - 2 W 
/-o 
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(as might occur if h ix) is the product of two polynomials reduced modulo fix)), then 

h ix) = "2 a,*'' + "2 a l+n x' + *2 2 a i+n - k x' (mod fix)) , (5.6) 

i-0 (-0 /-*: 

a reduction that can be accomplished using two shifts and two exclusive or's of the coefficient 
strings, and another iteration of this procedure applied to the polynomial on the right side of (4.6) 
yields the fully reduced form of h GO. It is often also desirable that fix) be primitive, since then x 
can be used as a primitive element of the field. (Extensive tables of primitive trinomials are 
available, see [28,71,72].) In some cases, of which n — 127 and fix) — x lll +x+l is the example 
par excellence, it is possible to satisfy all these desirable conditions. In general, though, some kind 
of compromise might be necessary, and the choice to be made might depend both on n (and thus on 
what kinds of polynomials exist) and on the hardware and software that are being used. Our 
purpose here is to show that the security of a cryptosystem is essentially independent of the choices 
that are made; the cryptosystem designer and the cryptanalyst can choose whichever fix) and gix) 
suit them best. 

To show that changing only the primitive element gix) does not affect the security of a system, 
suppose that we have a way to compute discrete logarithms to base gix) efficiently. If another 
primitive element giix) and a nonzero polynomial hix) are given, and it is desired to compute the 
logarithm of h ix) to base giix), we compute the logarithms of g\ix) and h ix) to base gix), say 

gl ix) = gix)' (mod /GO) , 
hix) s gix) b (mod /GO), 

and obtain immediately 

hix) = g x ixY' b (mod /GO), 
where a* is the integer with 1 < a' < 2"— 1 for which 

aa' = 1 (mod 2" — 1) . 
(Since gix) and g\ix) are primitive, ia{l" — 1) — 1, and so a* exists.) 
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Changing the representation of the field, so that it is given as polynomials modulo fiix), as 
opposed to modulo fix), also does not affect the difficulty of computing discrete logarithms, as was 
first observed by Zierler [70]. The two fields are isomorphic, with the isomorphism being given by 

x (mod /,(*)) — h(x) (mod fix)) , 

where 

f,ihix)) = 0 (mod fix)) . 

Thus to construct the isomorphism we have to find a root h(x) of f \ix) in the field of polynomials 
modulo fix). Such a root can be found in time polynomial in n [7,16,36,55,70], which establishes 
the isomorphism and enables one to transfer logarithm computations from one representation to 
another. 

53 Faster generation and processing of test polynomials 

As we described the basic index-calculus algorithm, the polynomials h' are generated (in the 
first stage of the algorithm, say) by selecting a random integer s and reducing g 1 modulo fix). 
Typically this involves on the order of 3/i/2 polynomial multiplications and reductions modulo fix). 
This work can be substantially reduced by choosing the h* in succession, say h\ - 1, hi, hi,..., with 

hk+i = f>kV s (mod fix)) , 

where v s is chosen at random from S. This requires only one polynomial multiplication (in which 
one factor, namely v J( is of low degree) and one reduction. Since each hi is of the form 

h' k =. JJ v "' (mod fix)). 

any time we find that both w l and w 2 have all their irreducible factors in 5, we obtain another 
equation for the log g v, v € S. Heuristic arguments and some empirical evidence [58] indicate that 
the sequence hi ought to behave like a random walk in GF(2")\{0), which means that the modified 
algorithm ought to produce linear equations about as efficiently as the old one. 

Once h' is computed, the (w u w 2 ) pair that satisfies (4.7) is produced by the extended 
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Euclidean algorithm applied to the polynomials h* and /, which are each of degree about n. It 
might be advantageous to decrease the cost of this relatively slow operation by generating several 
pairs (wi, w 2 ) that satisfy (4.7). This can be done by choosing w, — 7, and w 2 — aj for several 
values of j such that (4.11) holds and the degrees of the w, are not too far from nil. As is shown 
in Appendix A, 

p(r+s, m)p(r—s, m) ~ p(r, m) 2 

for s small compared to r (for example, p(105, 18)p(95, 18) - 1.07xl0 -8 , while 
p(100, 18) 2 - 1.09X10 -8 ) so that if the neighboring pairs (7,-, a,) that satisfy (4.11) are 
independent with regard to factorization into small degree irreducible polynomials, as seems 
reasonable, we can cheaply obtain additional pairs (w u w 2 ) satisfying (4.7) which will be just as 
good in producing additional equations. 

The two modifications suggested above can also be applied to the second stage of the basic 
index-calculus algorithm, where they will lead to a similar improvements in running time. They can 
also be used in the first step of the second stage of the Coppersmith algorithm. 

Blake et al. [8] used the Berlekamp algorithm [7] to factor the polynomials w, . However, what 
is really needed initially is only to check whether all the irreducible factors of the w f are of degrees 
< m . The complete factorization of the >v, is needed only when the w,- are both composed of low 
degree factors, and this happens so infrequently that the time that is needed in those cases to factor 
the w ( is an insignificant fraction of the total running time. Now to rapidly check whether a 
polynomial w(x) has all its irreducible factors of degrees < ra, we can proceed as follows. Since 
the greatest common divisor, (w'Oc), wOx)), of w(x) and its derivative equals 

(w(x), w (*)) - rj y t (x) 2[a,m , (5.7) 

where 

w(x) "II >V W' . 

i 

and the y : (.x) are distinct irreducible polynomials, we can compute 
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w {0} (x) -Jly,(x) 

i 

in a few greatest common divisor and square root operations. Then, for i — 1,2,..., m we compute 

wOOc). , W "' Hx \ . (5.8) 

Since x 2 * + x is the product of all the irreducible polynomials of degrees dividing k, n> (m) (jc) — 1 if 
and only if all the irreducible factors of w(jc) are of degrees < m. 

The above procedure ought to be quite fast, since the greatest common divisor of two 
polynomials of degrees < n can be computed using at most n shifts and exclusive or's of their 
coefficient sequences and since the degrees of the w (,) are likely to decrease rapidly. The above 
procedure can be simplified some more by noting that it suffices to define w (,,> Gc) — w (0) Oc) for 
i'o *■ [(m— 1)/2] and apply (5.8) for i — i'o+1,..., m, since any irreducible polynomial of degree d, 
d < m, divides at least one of the x*+x, i 0 +\ < /' < m. Furthermore, the x*+x do not have to 
be computed at each stage separately, but instead, if we save 

u, Cc) = x 2 '+x (mod w u - l) {x)) , 

with Uj(x) reduced modulo h' (,_1) (x), then 

Ui (x)=x v +x (mod , 

and so 

u l+l 0c) = u,Gc 2 )+* 2 +x (modw'Oc)) , 

which is a much simpler operation. 

Another fast way to test whether a polynomial wGc) has all its irreducible factors of degrees 
< m was suggested by Coppersmith [19]. It consists of computing 

w'Oc) n (x*+x) (modwW), 

1 - fm/2] 

and checking whether the resulting polynomial is zero or not. This method avoids the need for 
many greatest common division computations, and so may be preferable in some implementations. 
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It is not completely foolproof, since polynomials in which all irreducible factors of degrees >m 
appear to even powers will pass the test. However, such false signals will occur very infrequently, 
and will not cause any confusion, since polynomials w(x) that pass the Coppersmith test have to be 
factored in any case. 

5.4 Large irreducible factors 

This section discusses a variation on both the basic index-calculus algorithm and the 
Coppersmith variation that was inspired by the "large prime" variation on the continued fraction 
integer factoring method (cf. [53]). In practice, as will be discussed in greater length later, the w t 
would probably be factored by removing from them all irreducible factors of degree < m, and 
discarding that pair w 2 ) if either one of the quotients is not 1. If one of the quotients, call it 
hGc), is not 1, but has degree < 2m, then it has to be irreducible. The new variation would use 
such pairs, provided the degree of u(x) is not too high m+6, say). The pair (w,, w 2 ) that 
produced u (x) would be stored, indexed by u Or). Then, prior to the linear equation solving phase, 
a preprocessing phase would take place, in which for each irreducible wCx), deg u(x) > m, the 
pairs (»|, vv 2 ) that are associated to it would be used to obtain additional linear equations involving 
logarithms of the v € S. For example, in the basic algorithm, if there are k pairs associated to 
uGc), say 

h 'i = E[ v *' (,) (mod/)- 1 < < < k , 

where each a, — ±1, then we can obtain k-l equations for the logarithms of the v € S by 
considering the polynomials 

*;(AD" V "' s JJ v KU) - b - Ma, '°' (mod/) , 2 « / < * . 

A similar method works with the Coppersmith variation. 

We now consider the question of how many equations we are likely to obtain by this method. 
Suppose that we generate iV different pairs (iv,, w 2 ), where each of the w, is of degree 
approximately M (which would be ~ nil for the basic algorithm and on the order of n 2/3 in the 
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Coppersmith variation) . We then expect to obtain about 

Np(M, m) 1 

pairs (w { , w> 2 ), where each of the w f factors into irreducibles from 5. Consider now some k > m. 
The probability that a random polynomial of degree ~ M has exactly one irreducible factor of 
degree k and all others of degrees < m is about 

p(.M-k,m)I(k)2- k , 

where I(k) is the number of irreducible polynomials of degree k. Therefore we expect that the 
probability that exactly one of w { and w 2 has one irreducible factor of degree k and all other factors 
of both W] and w 2 are of degrees < m is about 

2p(M-k, m)p(M, m)I(k)2- k . 

(The probability that both w, and w 2 have one irreducible factor of degree k and all others of 
degree < m is negligible.) Hence among our N pairs (w lt w 2 ) we expect about 

N k ~ 2N p{M, m)p([nl2]-k, m)I{k)2- k (5.9) 

pairs that would be preserved. The number of equations that we expect to obtain from these 7V t 
pairs is N k —M k , where M k is the number of irreducible polynomials of degree k that appear in the 
stored list. 

To estimate M k , we make the assumption that the irreducible polynomials uGc) of degree k that 
appear in the factorization of the w,- behave as if they were drawn at random from the I(k) such 
polynomials. When N k balls are thrown at random into lUc) buckets, the expected number of 
buckets that end up empty is I(k) times the probability that any single bucket ends up empty. 
Since the probability that a particular bucket ends up with no balls is 

(/(fc)-l)*' 
/(*)"• ' 

the expected number of buckets that we expect to be occupied is 
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/(*)-/(*)(/ (*)-!)"' /(*)""*. 

Therefore we expect to obtain approximately 

N k +/(*)((1-/Cfe)- , ) W, -1) (5.10) 

additional equations from polynomials of degree k. Since N k will be comparable to I(k) in 
magnitude in applications to the index-calculus algorithm, we can approximate (5.10) by 

N k + I(k) (exp(-iV/0t))-l) . (5.11) 

Since (see Appendix A) I k — 2 k k~ l and 

p(M-k, m) — p(M, m) (Mm~ l log, Mlm) klm , 

(5.9) gives us 

N k - 2 Nk~ l p(.M, m) 2 (Mm~ l log, M/m) k/m . (5.12) 

Since |S| ~ 2 m+I /w~ 1 , we are interested in N for which Np(M, m) 2 is on the order of 2 m m~ 1 . For 
such N, though, (5.11) and (5.12) show that the number of additional equations is negligible for 
k—m — °°. For k ~ m, on the other hand, (5.12) shows that 

N k -2 M m~ 2 N p(M, m) 2 (log, M/m) , 

which is 

~ c'Np(M,m) 2 

for m ~ c(M log, M) m , which is the case for both the basic algorithm and the Coppersmith 
variant. Hence we also have 

x k - c"iM , 

and (5.1 1) then shows that we can expect 

[c"-2*-"(l-exp(- c " 2 '»-*))]/( m ) 

additional equations, where the implied constants are absolute. Hence when we sum over k, we find 
that the total number of additional equations we can expect the large irreducible factor variation to 
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generate is proportional to the number that have to be obtained. 

The large irreducible factor variation can be quite important for moderate values of n, especially 
when m is relatively low, as it might have to be to make the solution of the system of linear 
equations feasible. For example, for M — 65, m — 18, without the large irreducible factor 
variation we might expect to test about N = 1.04 xlO 8 pairs (wj, w 2 ), whereas with this variation 
we expect to need only about 6.7 x 10 7 . For M ~ 65 and m — 12, the difference is even more 
dramatic, since without the variation we expect to need N = 1.3 xio 10 , while with it we need only 
TV = 3.5 x 10 9 . For M - 100 and m - 20 the figures are N = 4.9 x 10" and N = 2.3 x 10 11 , 
respectively, while for M ~ 100 and m - 18 they are N ~ 2.7 x 10 12 and N = 1.1 x 10 12 . Thus 
for values that are of cryptographic significance, the large irreducible variation can shorten the 
running time of the equation generating phase by a factor of between 2 and 3. Furthermore, it can 
speed up the second stage of the index-calculus algorithm by an even greater factor, since in 
addition to the logarithms of the v 6 5, the cryptanalyst will possess the logarithms of many 
polynomials of degrees m+1, m+2,... . 

5.5 Early abort strategy 

Like the large irreducible factor variation discussed in the preceding section, the early abort 
strategy is also inspired by a similar technique used in factoring integers. Most of the pairs 
()»!, w 2 ) that are generated turn out to be ultimately useless, whether the large irreducible factor 
variation is used or not. It would obviously be of great advantage to be able to select those pairs 
(wi, w 2 ) in which both of the w,- are likely to factor into irreducible polynomials from S . The idea 
behind the early abort strategy is that a polynomial is unlikely to have all its factors in 5 unless it 
has many factors of small degree. Asymptotically this variation is unimportant, since factorization 
of binary polynomials can be accomplished in time polynomial in their degree. For small values of 
n , though, this variation can be important, as will be shown below. 

Let pi(r, m) denote the probability that a polynomial of degree r has all its irreducible factors 
of degrees strictly larger than k but at most m. It is easy to obtain recurrences for pi(r,m) 
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similar to those for p(r, m) derived in Appendix A, which enables one to compute the pt(r, m) 
numerically. (It is also possible to obtain asymptotic expansions for the pjt(r, m), but since we 
know a priori that the early abort strategy is unimportant asymptotically, we will not do it here.) 
For a polynomial w(x), let w'ix) denote the product of all the irreducible factors of wGc) of 
degrees (with their full multiplicity). Let Q(r,R,m,k) denote the probability that a 

polynomial w(x) of degree r has all its irreducible factors of degrees < m, that deg w*(x) > R. 
Then we easily obtain 

Q(r, R, m, k) - 2 />0'. k)p k {r-j, m) . 

Let Q*{r,R,k) denote the probability that a random polynomial w(x) of degree r has the 
property that deg w'ix) > R. Then we similarly obtain 

Q'(r,R,k)~ 2 p (y, k)p k ir-j, r-j) . 

The early abort strategy with parameters (k, R) is to discard the pair (>f(, w 2 ) if either w*(x) 
or w^ix) has degree < R. Let A represent the time needed to check whether both h^Gc) and 
w 2 (.x) have all their irreducible factors are of degrees < m, and let B represent the time involved in 
testing whether the degrees of w\bc) and w\(x) are both > R. Then to obtain one factorization 
that gives a linear equation for the logarithms of the v 6 S, the standard index-calculus algorithm 
has to test about p dn/2], m)~ 2 pairs Gv], w 2 ) at a cost of approximately 

Ap(\nl2lm)- 1 (5.13) 

units of time. The early abort strategy has to consider about Q({n/2], R, m, k)~ 2 pairs h> 2 ), 
but of these only about Q'([n/2], R, k) 2 fi([n/2], R, m, k)~ 2 pairs have to be subjected to the 
expensive test of checking if all their irreducible factors have degrees < m. Hence the work 
involved in obtaining an additional linear equation under the early abort strategy is about 

{B+A Q'(ln/2],R, k) 2 } Q(.{n/2], R, m, k)~ 2 . (5.14) 

In Table 1 we present some values of the ratio of the quantity in (5.14) to that in (5.13): 
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Table 1. Evaluation of the early abort strategy. 



n 


m 


k 


R 


ratio of (5.14) to (5.13) 


128 


16 


4 


5 


2.47 B/A + 0.412 


128 


16 


5 


5 


1.73 B/A + 0.452 


200 


20 


4 


5 


2.67 B/A + 0.445 


200 


20 


5 


6 


2.32 B/A + 0.396 



We see from this that if B/A < 1/10, then one can reduce the work required to obtain an 
additional equation by 30-40%, which might speed up the algorithm by a factor of approximately 
1.5. 

The success of the early abort strategy is crucially dependent on the ability to quickly find the 
divisors w* of the w, that are composed only of irreducible factors of degrees < k. If we use the 
procedure suggested in Section 5.3, this can be accomplished quite easily. Given a polynomial w(x) 
to be tested, we compute its square-free part u> (0) 0c) and go through the first k steps of the 
procedure described by (5.8). If k - 4, this can be simplified further. Here we only need to know 

x*+x) and (w°(x), x l6 +x) , 

and these can be computed by reducing w (0) (x) modulo x % + x and modulo x 16 + x, respectively, 
and looking up the greatest common divisors in precomputed tables. We could then decide not to 
reject w(x) if the difference of the degree of w l0) (x) and the sum of the degrees of the two divisors 
is small enough. It might also be advantageous to avoid computing w (0, Gc) on the first pass, 
compute 

(.w(x), x*+x) , (wW,i 16 +j), 

and accept or reject wbc) depending on how small the difference between the degree of wOc) and 
the sum of the degrees of those factors is. 

One can obtain some further slight gains by using additional conditions further along in the 
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computation of the w (,) (jc) defined by (5.8). It seems safe to say, though, that the early abort 
strategy is unlikely to speed up the linear equation collection phase of the index-calculus algorithm 
by more than a factor of 2 or so. 

5.6 Faster generation of equations in Coppersmith's method 

It is possible to significantly speed up the first stage of Coppersmith's variant of the index- 
calculus algorithm by applying some of the ideas that occur in the second stage of that version. 
Asymptotically, the improvements are not important, but in practice they are likely to be much 
more important than all the other variations we have discussed so far, and could speed up the 
equation-collecting phase of the algorithm by factors of 10 to 20 for n — 127, by up to 300 for 
n - 521, and by over 1000 for n - 1279. 

The idea behind the new variation is that instead of selecting « t Cx) and a 2 Cx) to be any pair of 
relatively prime polynomials of degrees < B each, we select them to increase the chances of w,Cx) 
and w 2 (x) splitting into low degree irreducible factors. To do this, we select a pair V\ix) and viix) 
of polynomials of degrees < B-l (but close to B) such that each is composed of irreducible factors 
of degrees < m. We then select U\ix) and u 2 ix) of degrees < B so that v x (x) | wjCt) and 
v 2 {x) | w 2 (x). Tne divisibility condition gives us degv,Gc) + deg v 2 0c) < 25—2 homogeneous 
linear equations for the IB coefficients of U\(x) and u 2 {x), and so we obtain at least 3 nonzero 
solutions. Moreover, these solutions can be found very fast, by using gaussian elimination on the 
GF (2) matrix of size < IB -2 by IB. 

When UjU) and u 2 (x) are selected by the above procedure, the probability of h^Gc) splitting 
into irreducible factors of degrees < m ought to be close to p(h, m), and the probability of w 2 (x) 
splitting in this way ought to be close to 

p(h2 k -n+B(2 k -\) +deg/iOc),m) . 

Since B - O (n ui (log, n) 2/3 ), the form of the asymptotic estimate for the probability of both 
and w 2 (x) splitting is not affected by this improvement. In practice, however, the 
improvements can be vital. 
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Some care has to be used in the application of the idea proposed above. The first stage of the 
index-calculus algorithm requires the generation of \S\ — m~ l 2 m+1 linearly independent equations. 
The equations generated by the basic version of the algorithm and by the Coppersmith variation are 
expected to be largely independent of the preceding ones (as long as there are < |Sj of them) on 
heuristic grounds, and this is confirmed by computational experience. That is not the case, however, 
with the variation proposed above, because in general many pairs (vjOt), v 2 0c)) will give rise to the 
same pair (wjGc), w 2 M). To circumvent this difficulty, we select B so that the standard 
Coppersmith algorithm without the variation proposed here would generate about 1.6 \S\ equations. 
(This involves increasing B by at most 1.) We then implement the present variation, with the new 
value of B. Essentially all of the 1.6 15| equations that would be generated by the standard 
Coppersmith algorithm can be generated by the new variation with appropriate choices of V[0c) and 
v 2 (x), and most can be generated in roughly the same number of ways. Hence we can again model 
this situation in terms of the "balls into buckets" problem described in Section 5.4; we have about 
1.6 \S | buckets corresponding to the equations we can possibly obtain, and we are throwing balls 
into them corresponding to the equations our variation actually produces. If we obtain about 1.6 |S| 
equations all told, approximately 1.6(1— e -1 ) |Si > 1.01 |S| of them will be distinct, and so it will 
be overwhelmingly likely that \S\ of them will be independent. 

In our new variation we do not need to check whether (i^Gc), u 2 0c)) - 1, and thus whether 
(v,(x), v 2 bc)) ■■ 1. Therefore we can prepare beforehand a list of all polynomials of degrees 

< B— 1 that are composed of irreducible factors of degrees < m, and this will generate a slight 
additional saving over the standard Coppersmith algorithm. (In order to take full advantage of the 
sparse matrix techniques of Section 5.7, it might be best to use only irreducible factors of degrees 

< m— 5, say.) The effort needed to compute UjCx) and u 2 (x) (i.e., to solve a small linear system of 
equations), which is comparable to the work needed to test whether a polynomial has all its 
irreducible factors of degrees < m , can be amortized over more test polynomials by requiring that 
degrees of v x (x) and v 2 Cx) be < B— 2, since that will produce at least 15 nonzero solutions each 
time. 
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There are other ways to speed up the Coppersmith algorithm. One way would be to fix 2B+2—b 
of the coefficients of UiOc) and w 2 Gr), where b is maximal subject to being able to store about 2* 
small integers. Then, for all irreducible polynomials u(x) of degrees < m, one could quickly 
compute those choices of the remaining b coefficients for which m^Gc) or w 2 (jc) is divisible by u Gc). 
All that would need to be stored for each of the 2* combinations would be the sum of the degrees of 
the divisors that were found. This variation, however, does not appear as promising as the one 
discussed above, and it would require some very novel architectures to implement it on a parallel 
processing machine of the type we will discuss later. Hence we do not explore this variation further. 

A slight improvement on the basic idea of this section is to allow V]Gc) and v 2 0c) to have 
different degrees, subject to the requirement that their sum be < 25— 2, so as to make the degrees 
of w\{x)/v x (x) and w 2 {x)/v 2 (x) more nearly equal. 

Another modification to the Coppersmith algorithm was suggested by Mullin and Vanstone [48]. 
It consists of choosing wjO:) to be of the form 

W { (x) — KjGc) x h ~" + u 2 (x) 

for a — 1 or 2, say, and selecting 

w 2 (jc) = w,(x) f x b (mod /(*)), 

where b is chosen so as to give small degree for w 2 Gc) after reduction modulo fix). This might 
allow the use of slightly lower degree polynomials for U\{x) and u 2 (x) than would otherwise be 
required, since if u,(0) — 1, the equations this method yields ought to be idependent of those the 
basic method produces. This modification can be combined with the others suggested here. 

5.7 Sparse matrix techniques 

So far we have concentrated on variations on the linear equation collection phase of the index- 
calculus algorithm. However, as we noted in Section 4, the difficulty of solving systems of linear 
equations seemed for a long time to be an important limiting factor on the algorithm and affected 
the asymptotic estimate of its running time. For example, in the basic algorithm, if the term 2 2 " 1 in 
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(4.16) were replaced by 2 m for any r > 2 (r — 3 corresponding to the use of gaussian elimination, 
for example), then the minimum of (4.16) would occur not at m ~ Cibt log e n) 1/I , but at a smaller 
value, m — c x ir) Oi log,/!) 1 ^, and would be larger, with c 2 replaced by 

cj(r) -r(2(r-l))" l/2 (log e 2) 1/2 . 

In this section, though, we will show that the linear equations produced by the index-calculus 
algorithm can be solved in time essentially jSp, where \S\ is roughly the number of equations. 

The matrices of coefficients of the linear equations generated by the first stage of the index- 
calculus algorithm are special in that they are very sparse. The reason is that the coefficient vector 
of each equation is obtained by adding several vectors (6„(A)), indexed by v tS, coming from 
factorizations of polynomials 

h - n v 

v iS 

Since the polynomials h are always of degrees < n, there can be at most n nonzero b v (h), and so 
each equation has at most n nonzero entries. This is a very small number compared to the total 
number of equations, which is around exp(n 1/3 ) or exp(n 1/2 ). The literature on sparse matrix 
techniques is immense, as can be seen by looking at [4,6,11,27,61] and the references cited there. 
Many of the techniques discussed there turn out to be very useful for the index-calculus problem, 
even though we face a somewhat different problem from the standard one in that we have to do 
exact computations modulo 2*— 1 as opposed to floating point ones. In the worst case, the problem 
of solving sparse linear systems efficiently is probably very hard. For example, it is known that 
given a set of 0—1 vectors r u ..., v,, each of which contains exactly three l's, to determine whether 
there is a subset of them of a given size that is dependent modulo 2 is NP -complete [35]. Thus we 
cannot hope to find the most efficient worst case algorithm. However, very efficient algorithms can 
be found. 

There are several methods for solving the systems of linear equations that arise in the index- 
calculus algorithms that run in tone £?QV 2+< ) for every e > 0, where N is the number of equations. 
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The first ones were developed by D. Coppersmith and the author from an idea of N. K. Karmarkar. 
This idea was to adapt some of the iterative algorithms that have been developed for solving real, 
symmetric, positive definite systems of equations [6,11,33,39]. For example, in the original version 
of the conjugate gradient method [33], in order to solve the system Ax — y, where A is a symmetric 
positive definite real matrix of size N by N, and y is a given real column vector of length N, one 
can proceed as follows. Let x 0 be an arbitrary vector of length N, and let P 0 — r 0 — y — Ax Q . The 
algorithm then involves < TV— 1 iterations of the following procedure: given x,,/v, and p ir let 

fry.) 

(pi,Api) 

n+i ™ n - OjApj , 

(r, + ,,/v +1 ) 
Pi+i _ r i+1 + biPi . 

It can be shown [33] that if the computations are done to infinite precision, the algorithm will find 
77 — 0 for some 1" < N—\, and x — y t will then solve the original system Ax — y. 

There are several problems with trying to use the conjugate gradient method to solve the systems 
of linear equations that arise in the index-calculus algorithms. One is that the system is not 
symmetric, and one has to solve Bx — y where B is not even a square matrix. This problem can be 
bypassed (as is well known, cf. [33]) by solving the system Ax — 2, where A — B T B and z — B T y. 
Since B will in general be of almost full rank, solutions to Ax — z will usually give us solutions to 
Bx — y . The matrix A will not in general be sparse, but its entries do not have to be computed 
explicitly, since it is only necessary to compute the vectors Ap t , and that can be done by multiplying 
Pi first by B and then B T . The matrix B can be stored in the sparse form, with rows and columns 
being given by lists of positions and values of nonzero coefficients. 

The main difficulty with the use of the conjugate gradient method is that the basic theory was 
based on minimizing a quadratic functional, and this does not apply in finite fields. However, as 



(5.15a) 

(5.15b) 
(5.15c) 

(5.1 5d) 

(5.15e) 
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was suggested by Karmarkar, the most important property of the algorithm is that the direction 
vectors p t are mutually conjugate (i.e., (p,-, Apj) — 0 for / j), and this is a purely algebraic 
property. Therefore the algorithm will terminate after at most n— 1 iterations and will find a 
solution unless at some stage a vector p, is encountered such that (pi, Ap t ) — 0. This cannot 
happen if A is a real positive-definite matrix and p t ^ 0, but can occur over finite fields. If the 
computations are being done over a large finite field, the probability of this occurring if Jto is 
choosen at random is quite low. If the field is small, say GF(q) with small q, this probability is 
much more significant, and the way to avoid the problem is to choose x 0 to have entries in a larger 
field, say GFiq') for some small ttZ + . 

The adaptation of the conjugate gradient algorithm outlined above has been tested successfully 
by the author on some small systems. The advantages of the method include not only speed, since 
only about NQ operations in the field GF(q') are required, where Q is the number of nonzero 
entries in B, and thus OQogiV) or O(GogiV) 2 ) in our problems, but also very modest storage 
requirements, since aside from the matrix B it is necessary to store the vectors x f , p h r t for only two 
consecutive values of i at a time. 

An algorithm due to Lanczos [39], somewhat different from the conjugate gradient algorithm, 
was similarly adapted by Coppersmith to solve the linear systems arising in the index-calculus 
algorithm. Coppersmith used that method to obtain another solution to the linear system that arose 
in the implementation of his attack on discrete logarithms in GF{2 ni ). 

A more elegant method for dealing with the index-calculus linear systems was invented recently 
by Wiedemann [66]. Suppose first that we wish to solve for x in Ax — y, where A is a matrix of 
size N by N (not necessarily symmetric) over a field GFiq). Let v 0 ,vj, . . . , V2jv be vectors of 
length K, which might be 10 or 20, with vj consisting of the first K coefficients of the vector A'y. 
Since to compute the Vj we need only start with y and keep multiplying it by A, without storing all 
the vectors A'y , we need only O (.KN) storage locations, each one capable of storing an element of 
GFiq), and the number of GFiq) operations to carry out this computation is OiNQ). Now the 
matrix A satisfies a polynomial equation of degree < N: 
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2^-0, (5.16) 

j-0 



and therefore also for any k > 0, 

2 CjA' +k y - 0 . (5.17) 

7-0 

Eq. (5.17) implies that any single component of the v 0 , . . . , satisfies the linear recurrence with 
characteristic polynomial 

2 cjz> . (5.18) 

Given any sequence of length on the order of TV, the Berlekamp-Massey algorithm [29,44,56] finds 
its minimal characteristic polynomial in OGV 2 ) operations in the field GF(q). Hence if we apply 
the Berlekamp-Massey algorithm to each of the K coordinates of the vectors v 0 , . . . , v w , we will 
in 0(KN 2 ) steps obtain K polynomials whose least common multiple is likely to be the minimal 
polynomial of A. When we do find that minimal polynomial, and it is of the form (5.18) with 
Co 5* 0, then we can easily obtain the desired solution to Ax — y from 

y — A°y — -co" 1 2 ^Ay 

7-1 

(5.19) 



- A 



-co" 1 2cjA'- l y 

7-1 



If A is nonsingular, then c 0 ^ 0, as is easy to see. Conversely, if c 0 ^ 0, then A is nonsingular, 
since we can then write 

A 2 CjA^ = - Co I . 
7-1 

In general in index-calculus algorithms, we have to solve a system of the form Ax — y , where A is 
of size M by N, with M > N (but M—N small). One way to reduce to the earlier case of a 
nonsingular square matrix is to take a submatrix A' of A of size N by N, and apply the algorithm 
presented above to (A ') T x — z for some random vector z . If A ' turns out to be nonsingular, we can 
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then go back and search for solutions to A'x — y , which is what we are interested in. If A ' is 
singular, though, we will obtain a linear dependency among the rows of A'. This means we can 
discard one of the rows of A ' that was involved in that dependency and replace it with another row 
of that part of A that has not been used yet. After a few steps, we ought to obtain a nonsingular 
A', and this will enable us to solve for x in Ax — y. Wiedemann [66] also has a deterministic 
algorithm, which may not be as practical, however. 

We conclude this section by discussing some very simple methods for solving sparse systems of 
equations. Some of these methods can be used as a preliminary step before the application of 
Wiedemann's algorithm, say, since they serve to reduce the effective size of the matrix that has to 
be dealt with. In some cases these methods by themselves could be just about as efficient as the 
techniques described above. These methods are based on a simple observation that has often been 
made in the work on sparse matrices (cf. [6]), namely that if a matrix is noticeably sparser on one 
end than on the other, then it is better to start gaussian elimination from the sparse end. In our 
case, if we arrange the matrix of coefficients so that the columns correspond to polynomials v 6 S 
sorted by increasing degree, then the right side of the matrix will be very sparse. (If we use the fast 
version for generating the h' that is presented in Section 5.3, it is necessary to choose the random 
v r e 5 to have only low degrees for this to remain true.) To see just how sparse that matrix is, 
consider the Coppersmith algorithm in GF(2"), with k, m, and B chosen to satisfy (4.34a-c) with a 
satisfying (4.38), and B and y satisfying /? = 7 and (4.40). If we take M ~ m~ x 2 m , then the 

matrix of coefficients will have about 2M rows and 2M columns, with columns M+l 2M 

(approximately) corresponding to the irreducible polynomials of degree m. We now consider those 
columns. Any row in the matrix comes from adding two vectors of discrete logarithm coefficients 
from factorization of two polynomials of degrees about B-2 k y both of which are divisible only by 
irreducible factors of degrees ^m. The probability that a polynomial of degree B -2 k , which factors 
into irreducibles of degrees <m, also is divisible by a particular chosen irreducible polynomial of 
degree exactly m is approximately 
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2~ m p(B2 k -m,m) 
p(B2 k ,m) 

which, by Lemma A. 3 of Appendix A, is 

~ 2~ m m- l B2 k \og(B2 k /m). 

Therefore the probability that any particular entry in the last M columns of the matrix is nonzero is 
about 

2- (m - ]) m-*B2 k \og(32 k /m). (5.20) 

(The factor 2 comes from the fact that we are adding two vectors.) For the choices of 5,2*, and m 
that were specified, this becomes &M~ l , where 

5 - 2a7j8 _2 /3 - 2/3 _3/2 /3 - log 2 - 0.6931.... 

(Exactly the same asymptotic result also applies to the basic index-calculus algorithm.) Therefore, 
by the "balls into buckets" model, we expect that with probability about 

(ISM' 1 ) 2 ** = exp(-25) - 1/4, 

any column among the last M will contain only zeros. This means that about Af/4 of the M 
irreducible polynomials of degree m will not appear in any of the factorizations and so the data base 
obtained from the first phase will be missing those values. More importantly, it means that it was 
not necessary to obtain all of the 2Af equations, as 7A//4 would have sufficed. (In fact fewer than 
7M/4, since with that few equations, the chances of obtaining a zero column would be even larger, 
and in addition we would also have some irreducible polynomials of degrees m—\,m—2, etc., which 
would not appear in the equations.) In addition, the probability of a particular column among the 
last M having just a single nonzero coefficient is about 

2M-5M-Hl-8M- i )™- 1 = 25 exp(-2«) - (log 2)/2-0.346... 

Thus an additional 0.346M of the last M columns would have a single nonzero coefficient, so that 
we could remove those columns together with the rows in which those columns have nonzero 
coefficients, solve the remaining system, and then obtain the values of logarithms corresponding to 
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the deleted columns by back substitution. (Occasionally a row might contain two nonzero 
coefficients which are the only such in their columns, which would prevent recovery of the values of 
the corresponding logarithms, but that is not a significant problem.) Furthermore, removal of those 
rows and columns would create more columns with only a single nonzero coefficient, so that the size 
of the matrix could be cut down by more than 0.35M. However, both simulations and heuristic 
arguments show that if we proceed to carry out standard gaussian elimination, proceeding from the 
sparse end, then very rapid fill-in occurs. Therefore one does have to be careful about algorithms 
that are used. 

The above discussion of just how sparse the index-calculus algorithms matrices are was meant to 
motivate the following method. It will be helpful to explain it in terms of operating on the full 
matrix, although in practice the matrix would be stored in the sparse encoding, using lists of nonzero 
coefficients and their positions for rows and columns, just as in the case of the algorithms discussed 
above. The algorithm is as follows: 

Step I: Delete all columns which have a single nonzero coefficient and the rows in which those 

columns have nonzero coefficients. 
Step 1 is repeated until there are no more columns with a single nonzero entry. 

Step 2: Select those aM columns which have the largest number of nonzero elements for some 

a > 0. Call these columns "heavy," the others "light." 
A typical value of a might be 1/32. The entries in the "heavy" columns for every given row might 
be stored on a disk, with a pointer attached to the row list indicating the storage location. These 
pointers would have coefficients attached to them, which are set to 1 initially. The weight of a row 
is then defined as the number of nonzero coefficients in its "light" columns. 

Step 3: Eliminate variables corresponding to rows of weight I by subtracting appropriate 
multiples of those rows from other rows that have nonzero coefficients corresponding to 
those variables. 

During execution of Step 3, if u times row i is to be subtracted from row j, the pointers attached to 
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row j are to have added to them the pointers of row / , with their coefficients multiplied by u . Step 
3 is to be repeated until there are no more rows of weight 1. At the end of this process there are 
likely to be many more equations than unknowns. We can then perform the following operation. 

Step 4: If r rows are excess, drop the r rows with highest weight. 

We now iterate Step I, and then Step 3. We then go on to the next procedure. Note that if a 
variable indexed by j, say, appears in rows of weights 2<>v, ^ • • • then eliminating 

that variable using a row of weight w, will increase the number of nonzero entries in the matrix 
(after deletion of the row of weight w,- and the column corresponding to our variable) by 

(wi- l)(jfc-l) - w,- - (Jfc-1) - (w,— 2)0fc-l) - wi . (5.21) 

Hence to minimize the amount of fill-in, we need to choose that variable and that w t (which clearly 
equals w^) for which (5.21) is minimized. Keeping track of this quantity is fairly easy if we use a 
priority queue data structure. 

Step 5: Eliminate that variable which causes the least amount of fill-in. 

The algorithm outlined above can be implemented to run very fast, and it reduces the problem of 
solving a roughly 2M by 2M system to that of solving an aM by aM system. What is perhaps 
most remarkable, if the original system is sufficiently sparse, only the first few steps of the algorithm 
are needed. For example, if the elements of the matrix are chosen independently at random, so that 
the probability of an entry in the last M columns being nonzero is &M~\ in the next M/2 column is 
28M~ [ , etc., where 8 < 0.85 (compared to 5 - 0.693... for the optimal case of Coppersmith's 
algorithm), and a — 1/32, than Steps 1-4 of the algorithm are all that is needed, since by the time 
they are completed, there is nothing left of the "light" portion of the matrix. This result is confirmed 
by simulations (with systems of sizes up to 96,000) and by heuristic arguments. 

The method presented above draws on ideas that are well known in the literature on sparse 
matrices (cf. [11]). Moreover, some of these ideas have already been used in the factoring integers 
and computing discrete logarithms. For example, J. Davenport in his computations related to 
Coppersmith's algorithm [19] used some heuristic methods to minimize fill-in. Such methods were 
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also used during the execution of the Blake et al. [8] version of the basic index-calculus algorithm in 
GF{2 nl ). According to R. Mullin (private communication), the system of about 16,500 equations 
in about that many variables (m— 17 was used) was reduced by methods similar to those presented 
above to a system of size under 1000, which was then solved by ordinary gaussian elimination. 
Moreover, their procedure did not involve such tricks as always choosing the equation with fewest 
nonzero entries during elimination, which appear to result in dramatic improvements in 
performance. Therefore we expect these methods to be quite useful. 

6. Practical and impractical implementations 

Blake, Fuji-Hara, Mullin, and Vanstone [8] have successfully tested the basic index-calculus 
algorithm on fields up to GF(2 127 ). They estimated that with their VAX 11/780, a relatively slow 
minicomputer, it would have taken them many CPU months to carry out the first stage of the 
algorithm for GF(2 i21 ) with m — 17. On the HEP, a powerful multiprocessor to which they 
obtained access, their implementation of the algorithm took about 8 hours for the first stage, of 
which about one hour was devoted to solving linear equations. (Their systematic equations method 
produced a substantial fraction of all the required equations.) Once the first stage is completed, the 
second stage is expected to take around 1 CPU hour per logarithm even on the VAX 1 1/780. On 
the IBM 308 IK, Coppersmith estimated that the equation collecting phase for GF(.2 nl ) would take 
around 9 hours with the basic algorithm. Using his own variation, Coppersmith was able to find all 
the necessary polynomials (for m — 12) in 11 minutes [19]. (The factorization of the polynomials 
to obtain the actual equations took 8 minutes, and solution of the equations took 20 minutes, but 
these tasks were performed with a general purpose symbolic manipulation program, and so could 
undoubtedly be speeded up very substantially.) Further speedups, perhaps by a factor of 30 to 50, 
could be obtained by combining the variation proposed in Section 5.6, which might gain a factor of 
10 to 20, with those of sections 5.4 and 5.5, which together might gain a factor of 2 or 3. Using the 
Cray-1 might gain an additional factor of 10 or so, because it is perhaps 5 times faster than the 
IBM 308 IK and because it could store and manipulate the test polynomials (of degrees < 42) in 
single words. Thus we can expect that with current supercomputers the equation collecting part of 
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the first phase of the algorithm can be completed in around one second. Since the database 
produced by the algorithm is not very large (16,510 127-bit numbers for m - 17 in the basic 
algorithm and 747 numbers for m — 12 in the Coppersmith variation), this means that individual 
logarithms in GF(2 XYI ) can now be computed even on personal computers. Therefore GF(2 127 ) 
ought to be regarded as completely unsuitable for cryptographic applications. Our intention here is 
to explore what other fields might be appropriate. 

We first consider the basic algorithm. Although it has been made obsolete by the Coppersmith 
variation in applications to the fields GFi.2"), it is worth analyzing in detail, since by comparing our 
estimates to actual running times we will obtain a better idea of how accurate the estimates are. 

In Section 5 we presented briefly a number of variations on the basic index-calculus algorithm. 
These variations were not analyzed very carefully, since we were interested only in the order of 
magnitude of the improvements that can be obtained from such techniques. The general conclusion 
to be drawn from that section is that the time to generate the pairs (w h w 2 ), can probably be 
neglected. The work needed to obtain |S| equations is probably no more than and at least 1/5 of 
the work needed to test 

\S\p([ n /2],m)- 2 

pairs (wi, w 2 ) by the procedure outlined in Section 4.3 to see whether all the irreducible factors of 
each of the w, are in S. To test each w t takes about m/2 operations of the form (4.8), each of 
which involves a squaring modulo a polynomial of degree perhaps n/3 on average (since the degrees 
of the w (l) Gc) will be decreasing, especially if we use the early abort strategy with additional test 
along the way to discard pairs (w,, w 2 ) that are not factoring satisfactorily), a greatest common 
divisor operation or two polynomials of degrees around n/3, and a division, which will usually be 
trivial. 

To evaluate the significance of the index-calculus algorithm for cryptographic schemes, we have 
to look at the effect of parallel processing and at speeds of modern circuits. We will assume that no 
exotic algorithms, such as fast integer multiplication using the Fast Fourier Transform [10] are to 
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be used, since they are probably not practical for n on the order of several hundred. Since a 
cryptographic scheme ought to be several orders of magnitude too hard to break, we will only try to 
be accurate within a factor of 1 0 or so. 

It appears that at present, custom VLSI chips could be built that would perform about 10 8 
operations per second, where each operation would consist of a shift of a register of length 200 to 
300 or else an exclusive or of two such registers. Semi-custom chips, which would be much easier to 
design and cheaper to produce, could operate at about 10 7 operations per second. Within the next 
decade or so, these speeds might increase by a factor of 10, so custom chips might do 10 9 operations 
per second, while semi-custom ones do 10 8 . General purpose supercomputers like the Cray-1 can do 
about 10 8 operations per second when running in vector mode to take advantage of parallel 
processing, where each operation consists of a shift or exclusive or of 64-bit words. The structure of 
the index-calculus algorithm lends itself to parallel processing, but the fact that coefficients of 
polynomials would often take more than a single machine word to store would cause a substantial 
slowdown in operations, perhaps to a level of 10 7 operations per second. The next generation of 
supercomputers, such as the Cray-2, will be about 10 times faster, and might run at the equivalent 
of 10 8 operations per second. 

The number of shifts and exclusive or's that are involved in squaring a polynomial of degree 
— n/3 modulo another polynomial of roughly that same degree and then in taking the greatest 
common divisor of two polynomials of degrees — /i/3 can be roughly estimated by 3n. Therefore 
each of the roughly \S \ p dn/2], m)~ 2 pairs (w u w 2 ) that are generated can be expected to require 
about Zmn operations. (Various branchings and the like would make the actual algorithm slower, 
but this would be compensated somewhat by the factor of 3 or more that we might gain from using 
the large irreducible factor and the early abort variations, and the method of systematic equations. 
Note also that almost always it is only necessary to test w b since when it turns out not to factor in 
the desired way, there is no need to test w 2 .) We therefore expect that about 

n 2 m+3 p(tn/2], mY 1 (6.1) 



operations might be needed to generate the linear equations for the log ? v, v € S. Below we give 
approximations to the minimal values of (6.1) for various values of n as m varies (only values of 
m ^ 40 were considered) : 



Table 2. Operation count for the basic algorithm. 



n 


minimum of (6.1) 


m 


120 


3.3 


x 10" 


19 


160 


2.9 


x 10 13 


23 


200 


1.6 


x 10 15 


26 


240 


6.5 


x 10 16 


29 


280 


2.0 


x 10 18 


32 


320 


5.2 


x 10" 


35 


360 


1.1 


x 10 21 


37 


400 


2.1 


x 10 22 


40 


500 


3.5 


x 10 25 


40 



We will now temporarily neglect the effort needed to solve the linear equations that are 
generated, and discuss for which n and m one could hope to generate the required linear equations 
with various hardware configurations. We will assume that the equations are to be generated within 
one year, roughly 3 x 10 7 seconds. If we use a single supercomputer, we can hope to carry out 
between 3 x 10 14 and 3 x 10 15 operations in that year. If we use a massively parallel machine with 
M special chips, we can expect to carry out between 3 x 10 14 M and 3 x 10 16 M operations in a 
year, depending on the technology that is used. Comparing these figures with those in the table in 
the preceding paragraph we see that even under our very optimistic assumptions, a general 
supercomputer could not assemble the required set of linear equations in under a year if n > 240, 
say, whereas it probably could for n < 180. On the other hand, even a relatively modest special 
purpose processor using 10 4 semi -custom chips based on current technology could perform about 
3 x 10 18 operations per year, and so could probably cope with n > 260, and perhaps with n > 280, 
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but probably not much beyond it. A very ambitious processor, using 10 6 custom designed chips 
operating at speeds that might become attainable in the next decade could do about 3 x 10 22 
operations per year, and could probably generate the needed equations for n < 380, but probably 
not for n > 420. 

The estimates made above are probably quite accurate, as is confirmed by comparing the 
numbers in Table 2 with the results of the <7F(2 127 ) computations of [8]. Interpolating between the 
values in Table 2, we might expect that GF(2 nl ) might require about 10 12 operations on a modern 
supercomputer, which is roughly what can be done in a day to a week. On the HEP, which is one 
of the modern multiprocessor supercomputers, the actual running time was about 7 hours, even 
though the method of systematic equations yielded about half of the equations practically for free. 

The discussion in the preceding paragraph dealt only with the equation collection phase of the 
algorithm. The main reason for this is that the methods discussed in Section 5.7 make solving those 
equations rather negligible. However, in some cases this part of the algorithm might be nontrivial, 
since it would require doing arithmetic modulo 2"-l. It is possible to envisage VLSI chips that 
multiply n-bit integers very fast, but such chips have unpractically large areas. At the present time 
the best practical designs appear to be able to multiply two n-bit integers modulo another n-bit 
integer in about n clock periods (cf. [12]). Therefore we can expect that special purpose chips could 
perform between « _, 10 7 and n~ l lQ 9 multiplications modulo 2"— 1 per second, depending on the 
technology. In the case of a modern supercomputer, which could possibly perform about 10 8 
multiplications on 32-bit words per second, we could expect about 10 8 /(10(n/32) 2 ) = 10 10 /i -2 
modular multiplications per second, and this will probably go up to I0 n n~ 2 in the next generation of 
supercomputers. (The factor 10 is there largely to compensate for the difficulty of working with 
multi-word numbers. We ignore the fact that many modern computers, such as the Cray-1, only 
allow 24-bit integer multiplication.) 

In many situations, solving linear equations should be regarded as a limiting factor not so much 
due to its high operation count, but rather due to its requirements for a large memory and operation 
synchronization. A special purpose multiprocessor for the collection of equations is relatively simple 
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to build. Each of the processors in it is quite simple, with essentially no storage, and these 
processors can operate independently of each other. Every once in a while one of these processors 
will find a factorization of the desired kind, which will then be sent to a central processor for 
storage. This also means that a multiprocessor of this kind would be fault-tolerant, since any 
factorization obtained by a small processor could be easily checked either by the central processor or 
by other processors without affecting the running time significantly. Therefore it would be very easy 
to build a multiprocessor to collect equations. On the other hand, a multiprocessor built for solving 
linear equations would require a very large memory, all the processors in it would have to operate 
synchronomsly under the control of the central unit, and it would have to operate essentially without 
errors. Such a multiprocessor would be much harder to build, and so we will often consider the use 
of a supercomputer for the equation solving phase together with a modest special purpose 
multiprocessor for the equation collecting phase. 

In the case of the basic algorithm, the estimates derived from Table 2 for the running time of 
the algorithm do change somewhat if we consider using a modern supercomputer to solve the 
equations. For example, for n — 400, the value 2.1 xlO 22 for the number of operations to find the 
needed equations requires the use of m — 40, which means that the number of unknowns (and 
equation) is around 5xl0 10 . Moreover, each equation might involve around 20 nonzero coefficients 
(which are usually equal to 1 , though) . Thus even with the use of the method described at the end 
of Section 5.7 to reduce the number of equations, of sorting on a disk, and sophisticated data 
structures, it seems that m — 40 would not be practical. However, use of m — 35 would reduce the 
size of the storage required by a factor of about 30, while increasing the number of operations to 
obtain the linear equations to only 3.5* 10 22 . Further reduction of m, to <30, would bring solution 
of the linear equations within practical reach without drastically increasing the effort needed for the 
equation collection phase. 

The basic conclusion to be drawn from the preceding discussion is that using the basic algorithm, 
a supercomputer could probably be used to complete the first phase for n < 200, but almost 
certainly not for n > 300. Using a relatively simple special purpose multiprocessor to assemble the 
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equation and a supercomputer to solve them might be feasible for n < 300. Finally, even a very 
ambitious special purpose machine with 10 6 chips operating at 1 nanosecond per operation would not 
suffice for n > 500. 

The above discussion applied to the basic index-calculus algorithm. We next analyze the 
Coppersmith variation. In this case the performance of the algorithm can again be improved 
through use of the large irreducible factor variation and the early abort strategy, but again probably 
only by a factor of 3 to 5. Hence we will neglect these techniques. On the other hand, the method 
described in Section 5.6 leads to a speedup by two or three orders of magnitude, and so we will take 
it into account. As before, we first neglect the effort needed to solve the linear equations, and 
estimate only the work involved in finding those equations. 

In the first stage of the Coppersmith algorithm, the time to generate the polynomials W[Gc) and 
w 2 (x) can probably be neglected, especially since for each choice of V](x) and v 2 Gc) in the 
variation of Section 5.6 we will typically obtain several (wi(x), w 2 (x)) pairs. The main work 
consists of testing the pairs (w b w 2 ) to see whether all the irreducible factors of the h>; are in S. 
By a reasoning almost identical to that used in analyzing the basic algorithm (but with n replaced 
by 2h), we see that this ought to take about (smh exclusive or's and shifts. Hence the total number 
of such operations might be around 

hl m+ *p(h, m)~ l p(M, m)~ ] , (6.2) 

with 

M - max (.h2 k -n+2 k d l -d 2 +degf l (x), (2 k -l)d 2 ) , 

where we select deg «,-(*)= deg v,-(x) = </,-, i - 1, 2. (There is occasionally some slight 
advantage in allowing different degree bounds for and u 2 .) We also have to satisfy 

p(h+d u m)p{M+d 2 , mn d,+dl+X > m^2 m ^ 

in order to have enough possible equations. 

In the table below we present approximate values for the minimal number of operations that 
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these estimates suggest. In the preparation of this table, deg /iCx) was taken to be 10, since that is 
approximately what it is for such cryptographically important values of n as 521, 607, 881, and 
1279. Also, only values of m < 40 were considered. 



Table 3. Operation count for Coppersmith's algorithm (equation collecting phase only). 



n 


approximate 
minimum of (6.2) 


2* 


h 


m 


di 


d 2 


280 


4.5x10" 


4 


70 


20 


14 


16 


400 


4.8xl0 13 


4 


100 


23 


17 


20 


520 


3-OxlO 15 


4 


130 


27 


20 


22 


700 


7.3xl0 17 


4 


175 


31 


24 


26 


880 


3.8xl0 18 


8 


110 


36 


27 


29 


1060 


6.0x1 0 20 


8 


133 


38 


29 


31 


1280 


lJxlO 22 


8 


160 


39 


32 


33 



The above table dealt with the equation collection phase of Coppersmith's algorithm. As in the 
case of the basic algorithm, the equation solution phase would be limited more by the large memory 
size needed then by the number of operations. If we consider somewhat smaller values of m, we 
obtain Table 4. 

There are two entries in the table for each n. It is possible to obtain finer estimates than in 
Table 4 by using what are in effect fractional values of m. What that would mean, in practice, is 
that S might consist of all the irreducible polynomials of degrees < m and one third of those of 
degree m'+l, say. However, since Table 4 is meant to be used only as a rough guide, accurate only 
to within an order of magnitude, there is no point in doing this. 
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Table 4. Operation count for Coppersmith's algorithm (taking into account limitations of equation solving phase 



ft 


value nf (fy 1) 


2* 


ft 


tn 


j 
d i 


j 

«2 




1 Al2 


4 


70 


.16 


17 


20 




4. /X 1U 


4 


70 


19 


14 


17 




1 . j x 1U 


4 


100 


20 


19 


22 


4UU 


"7 1 v 1 aI3 


4 


100 


21 


18 


21 




I . JX iu 


4 


130 


22 


23 


25 




/.UX1U 


4 


130 


23 


22 


24 


*7Afi 
/VK) 


1 .zx 


4 


175 


24 


28 


31 


/uu 


Z.OX 11)'° 


4 


175 


26 


26 


29 


ooU 


Av i a21 


4 


220 


27 


32 


34 




a ivi a20 


4 


220 


29 


30 


32 


1060 


i it. i a24 


8 


133 


30 


38 


40 


1060 


1.2xlO n 


8 


133 


31 


35 


37 


1280 


4.3xl0 26 


8 


160 


31 


43 


44 


1280 


l.lxlO 24 


8 


160 


33 


37 


38 


2000 


1.7xl0 30 


8 


250 


36 


48 


50 


2000 


1.3xl0 29 


8 


250 


37 


46 


47 



If we neglect the time needed to solve the system of linear equations, we see that a single 
supercomputer could probably compute the database for n < 460 in about a year, and the next 
generation might be able to do it for n < 520. On the other hand, n > 800 would be safe from 
such attacks. If we assume that methods such as those of Section 5.7 are to be used to solve the 
linear equations, then Table 4 suggests that n > 700 is safe even from the next generation of 
supercomputers, while n < 500 probably isn't. 
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A special purpose processor using 10 4 chips running at 100 nanoseconds per cycle might be able 
to assemble the equations for n < 700 in about a year, and these equations could probably be solved 
in about that much time on a supercomputer. For n = 520, though, a processor consisting of only 
about 100 chips of this kind might be able to find the equations in about a year (with m — 22), and 
they could then be solved in about a month on a supercomputer like the Cray-2. (Alternatively, 
with 10 3 chips in the equation collecting phase, a supercomputer might be needed for only a couple 
of days.) A very fanciful multiprocessor with 10 6 chips running at 1 nanosecond per cycle might be 
able to assemble the required equations for n < 1280 and solve them in between 1 and 10 years. 
Since even relatively small improvements to presently known algorithms could lower the operation 
count by a factor of 10 or 100, this means that even n — 1279 should not be considered safe, since it 
could then be broken using a less ambitious machine. (Note that a machine using 10 6 chips running 
at around 10 nanoseconds per cycle was proposed by Diffie and Hellman [24] for finding a DES key 
in about a day through exhaustive search. Such a machine was generally thought to be too 
ambitious for the then current technology, but it seems to be generally accepted that it could be 
built for some tens of millions of dollars by 1990.) On the other hand, n > 2200 is about 10 6 times 
harder than n ~ 1280, and so can be considered safe, barring any new major breakthroughs in 
discrete logarithm algorithms. 

7. Algorithms in GF(p), p prime 

The Silver-Pohlig-Hellman algorithm presented in Section 2 obviously applies directly to prime 
fields. The basic version of the index-calculus algorithm that has been presented so far can also be 
applied mutatis mutandis to the computation of discrete logarithms in fields GF(p), p aprime. 
However, its simplest adaptation, even with the use of the early abort strategy [53], results in a 
running time for the first phase of about 

L um M _ L i.58i... t ( 7 .D 

where L stands for any quantity that is 
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L - exp((l+o(l)) (log e p log f Iog e p) 1/2 ) as n — °° . (7.2) 

It was recently found, however, that there are several algorithms which run in time L [20]. The 
second phases of those algorithms can be used to find individual logarithms in time L 111 [20]. 

The discovery of the new algorithms for computing discrete logarithms in fields GFip) means 
that discrete logarithms in these fields are just about as hard to compute as it is to factor integers of 
size about p, provided that the field GF(p) is changing. If the field were to stay fixed, then there 
would be an initial phase that would be about as hard to do as factoring a general integer around p, 
but then each individual logarithm would be relatively easy to compute. 

Until recently, it was thought that the Schnorr-Lenstra algorithm [60] was the only factorization 
algorithm that ran in time L, with various other methods, such as the Pomerance quadratic sieve 
[53] requiring time L l+i for various 5 > 0. Those conclusions were based on the assumption that 
one had to use general matrix inversion algorithms to solve systems of linear equations. Now, with 
the methods described in Section 5.7 that take advantage of the sparseness of those systems, there 
are several algorithms, including the quadratic sieve and the Schroeppel linear sieve, and the new 
ones proposed in [20], which factor integers of size around p in time L . 

It is quite possible that further progress in both discrete logarithm and factorization algorithms 
could be made in the near future. For example, if one can find, for a given p , integers a ,b , and c 
such that they are all O (p 1/3+ ') and such that 

a 1 = b 2 c (mod p), a 3 * b 2 c , (7.3) 

then one obtains a discrete logarithm algorithm and a factorization algorithm with running time 

£ (W>- _ £0.8164... (7 4 ) 

for the first phase [20]. Such a, b, and c are expected to exist for all p, and the problem is to 
construct an algorithm that finds them. In some cases they can be found. For example, if 
p - a}—c for c — 0(p I/3 ), then (7.3) is satisfied with 6—1. (This version is the "cubic sieve" of 
Reyneri.) Any algorithm for constructing a ,b, and c satisfying (7.3) would help about equally in 



291 

factoring integers and computing discrete logarithms. In general, while there are algorithms for 
factorization that do not generalize to give discrete logarithm algorithms (the Schnorr-Lenstra 
algorithm [60], for example), the converse is not the case. Therefore it seems fairly safe to say that 
discrete logarithms are at least as hard as factoring and likely to remain so. 

The idea behind the Coppersmith variant cannot be extended to the fields GF(p) with p prime. 
That idea is based on the fact that squaring is a linear operation in GF(2), so that if the difference 
of two polynomials over GF (2) is of low degree, so is the difference of the squares of those 
polynomials. Nothing like this phenomenon seems to hold in the fields GF(p), p prime. 

8. Cryptographic implications 

The preceding sections presented descriptions of the most important known algorithms for 
computing discrete logarithms in finite fields. The conclusions to be drawn from the discussion of 
these algorithms is that great care should be exercised in the choice of the fields GF(q) to be used 
in any of the cryptosystems described in the Introduction. The Silver-Pohlig-Heilman algorithm 
presented in Section 2 has running time on the order of -Jp, where p is the largest prime factor of 
q— 1. It is possible to decrease the -Jp running time in cases where many discrete logarithms in the 
same field are to be computed, but only at the cost of a substantially longer preprocessing stage. Of 
the cryptosystems based on discrete logarithms, probably the most likely ones to be implemented are 
the authentication and. key exchange ones (cf. [38,59,69]). To crack one of these systems, it is only 
necessary to compute one discrete logarithm, since that gives the codebreaker a valid key or 
password, with which he can then either impersonate a valid user or forge enciphered messages. 
Thus it can be expected that any discrete logarithm method would be used relatively infrequently in 
cryptanalysis, so that optimizing the form of the Silver-Pohlig-Hellman algorithm would yield both 
the preprocessing stage and the average running time on the order of -Jp, or at least within a factor 
of 100 or so of \fp . The Silver-Pohlig-Hellman algorithm can be parallelized to a very large extent, 
the main limitation arising from the need to have a very large memory, on the order of bits, 
which would be accessible from all the independent elements. This means that values of p < 10 25 , 
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say, ought to be avoided in cryptographic applications. On the other hand, for p > 10 40 , the 
Silver-Pohlig-Hellman algorithm appears impractical for the foreseeable future. 

The limitation that q— 1 have at least one large prime factor, which is imposed by the Silver- 
Pohlig-Hellman algorithm, has led to suggestions that fields GF(2") be used for which 2"— 1 is a 
prime. Primes of the form 2"— 1 are known as Mersenne primes, and the known ones are listed in 
Table 5. One disadvantage of Mersenne primes is that there are relatively few of them. In 
particular, there are wide gaps between the consecutive Mersenne primes 2 607 - 1, 2 1279 — 1, and 
2 2203 — 1. The index-calculus algorithm is not very sensitive to the factorization of 2" — 1, and so it 
seems safe to use values of n for which 2"— 1 is not prime, provided it has a large prime factor 
(> 10 40 , preferably, for reasons discussed above). Table 6 presents a selection of values of n 
between 127 and 521 for which the complete factorization of 2" — 1 is known and includes a very 
large prime factor. (This table is drawn from [14], except that the primality of the 105-digit factor 
of 2 373 — 1 was proved by the author using the Cohen-Lenstra [17] version of the Adleman- 
Pomerance-Rumely primality test [2].) Also included are the two values n - 881 and n — 1063, for 
which the cofactors have not been shown to be prime, although they almost definitely are, since they 
pass pseudoprime tests. Any one of these values of n will give a cryptosystem that is resistant to 
attacks by the Silver-Pohlig-Hellman algorithm. 

It would be very desirable to have some additional entries in Table 6 to fill in the gap in Table 5 
between n — 1279 and n — 2203. Unfortunately no prime values of n in that range are known for 
which 2" — 1 has been shown to contain a very large prime factor. It is possible to obtain composite 
values of n with this property (any multiple of 127 or 241 will do), but these are probably best 
avoided, since logarithms in these fields GF(2") might be easy to compute. More generally, it 
might be advisable to avoid fields GFiq) which have large subfields. Hellman and Reyneri [30] 
raised the possibility that the fields GF(p 2 ) with p prime might be more secure than the fields 
GFip), since the index-calculus algorithm did not seem to extend to them. However, ElGamal [25] 
has shown how to modify the index-calculus algorithm to apply to most of the fields GF(p 2 ). 
Furthermore, ElGamal's approach can be extended to all the fields GF(p 2 ), and in fact to fields 
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GF(p") with n bounded. Thus fields of this kind appear not to offer increased security. In fact, 
these fields may be very weak because of the possibility of moving between the field and its 
subfields. As an example of the danger that exists, it can be shown that if p+1 is divisible only by 
small primes, computing logarithms in GF(p 2 ) is only about as hard as in GF(p). 

In the case of GF(2 127 ), the first stage of the index-calculus algorithm can now be carried out in 
a matter of hours on a minicomputer. Furthermore, once the database is generated, individual 
logarithms can be computed rapidly even on today's personal computers. For that reason the field 
GF (2 127 ) should be regarded as very unsafe for cryptographic applications. 

Once n moves up to 400 or so, the first stage of the index-calculus algorithm becomes infeasible 
to carry out in the fields GF{2") by anyone not having access to computing resources comparable to 
those of a modern supercomputer. However, if somebody does use a supercomputer or a large 
number of smaller machines to carry out the first stage, and makes the database widely available, 
anyone with access to even a medium speed computer can rapidly compute individual logarithms. 

When n reaches 700 or so, the first stage becomes infeasible even with a supercomputer. 
However, a relatively modest special purpose device consisting of about 10 4 semi-custom chips would 
enable a cryptanalyst to assemble the desired database even in these ranges. Such a special purpose 
computer might be assembled as part of a university project (cf. [62]). Furthermore, computations 
of individual logarithms could still be performed on any relatively fast computer. Special purpose 
machines of this kind, but either with more special chips or with faster chips could probably be used 
to assemble the databases for n up to perhaps 1200, but might have difficulty solving the system of 
linear equations. 

The fields GF(2 n ) have been preferred for cryptographic applications because of ease of 
implementation. There are penalties for this gain, though. One is that the codebreaker's 
implementation is correspondingly easy to carry out. Another is that logarithms in the fields 
GF(2") are much easier to compute than in the fields GF(p) for p a prime, p — 2", especially now 



Table 5. Known Mersenne primes 2 p —l. 



VALUES OF p FOR WHICH 
I'-X IS PRIME 



2 

3 

5 

7 

13 

17 

19 

31 

61 

89 

107 

127 

521 

607 

I, 279 
2,203 
2,281 
3,217 
4,253 
4,423 
9,689 
9,941 

II, 213 
19,937 
21,701 
23,209 
44,497 
86,243 
132,049 

that the Coppersmith algorithm is available [18,19]. Still another disadvantage of the fields GF(2") 
as compared with the prime fields of the same order is that there are very few of them. All of the 
fields GF{2") with a fixed value of n are isomorphic, and so can be regarded as essentially the same 
field. On the other hand, there are many primes p with 2" _1 < p < 2" . This is important, since in 
the index-calculus algorithm (and to some extent also in the Silver-Pohlig-Hellman algorithm) the 
initial preprocessing stage has to be done only once, and once it's done, individual logarithms are 
computable relatively fast. If the field can be changed, say every month or every year, the 
cryptanalyst will have only that long on average to assemble his database. (This may not be a 
serious strengthening of security in the case of information that has to be kept secret for extended 
periods of time.) Therefore having only a few fields to choose from makes a cryptosystem less 
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Table 6. Factorization of Mersenne numbers 2 P — 1 (p prime) which contain a very large prime 
factor. Pn denotes a prime of n decimal digits, PRPn a probable prime of n digits. 



p 


Factorization of 2 P — 1 


167 


2349023 • P44 


197 


7487 • P56 


227 


269863334377777017 ■ P52 


241 


220000409 • ^66 


269 


13822297 • P74 


281 


80929 • P80 


307 


14608903 ■ 85798519 • 23487583308 ■ 
■ 78952752017 • P51 


331 


16937389168607 • 865118802936559 - P72 


373 


25569151 • PX05 


409 


4480666067023 ■ 76025626689833 • P97 


881 


26431 • PRPiei 


1063 


1485761479 ■ PRPIU 



secure. 

The algorithms presented here show that great care has to be exercised in the choice of the fields 
GF{2") for cryptographic applications. First of all, n should be chosen so that 2"— 1 has a large 
prime factor, preferably larger than 10 40 . Secondly, n should be quite large. Even to protect 
against attackers possessing small but fast computers of the kind that might be widely available 
within the next ten years, it seems best to choose n > 800. To protect against sophisticated attacks 
by opponents capable of building large special purpose machines, n should probably be at least 
1500. In fact, to guard against improvements in known algorithms or new methods, it might be 
safest to use n > 2000 or even larger. 

Given a bound on the size of the key, one can obtain much greater security by using the fields 
GF(p) with p prime then the fields GF(2"). In this case p also has to be chosen so that p—l 
contains a large prime factor. If this precaution is observed, fields with p > 2 no provide a level of 
security that can only be matched by the fields GF{2") with n > 2000. 
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The requirement that p be changed frequently is not an onerous one. It is easy to construct 
large primes p for which p— 1 have a large prime factor (cf. [68]). Moreover, it is easy to construct 
them in such a way that the complete factorization of p — 1 is known, which makes it easy to find 
primitive roots g modulo p and prove that they are primitive. 

The discrete logarithm problem in fields GFip) for which p— 1 does have a large prime factor 
appears to be about as hard as the problem of factoring integers of size about p. The comparison of 
the asymptotic complexity of the two problems was presented in Section 7. As far as values of 
practical use are concerned, the best current factorization programs appear to be capable of 
factoring integers around 2 230 in about 1 day on a supercomputer like the Cray-XMP [22]. In 
applications where one is only interested in exchanging keys for use with ordinary cryptographic 
equipment, the Diffie-Hellman scheme presented in the Section 2 seems comparable to the Rivest- 
Shamir-Adleman (RSA) scheme, provided one uses fields GF(p). However, the best choice is not 
totally obvious. The Difiie-Hellman scheme has the advantage that the parties exchanging keys do 
not have to keep their private keys secret (since there are no private keys). It has the disadvantage 
that there is no authentication. Furthermore, if the Diffie-Hellman scheme is to be used with the 
same field shared by many people for a prolonged time, the discrete logarithm problem being as 
hard as factorization loses some of its significance because the cryptanalyst can afford to spend 
much more time compiling the database. If the field to be used does change from one session to 
another, though, the Diffie-Hellman scheme appears as a good choice among key distribution 
systems. 
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Appendix A: Computation and estimation of N{n,m), the number of polynomials over GF(2) of 
degree n, all of whose irreducible factors are of degrees < m. 

Let I(k) denote the number of irreducible polynomials over GF(2) that are of degree k. Then 
it is well-known [38] that 

/(*) n(d)2 k/d , (A.l) 

* dlk 

where ti(d) is the Mobius ^-function. The formula (A.l) provides an efficient method for 
computing I(k), the first few values of which are shown in Table 7. In addition, (A.l) shows 
immediately that 

/(*) -k~ x 2 k + 0(k- [ 2 kn ) . (A.2) 

We define N(k,Q) - 1 if k - 0 and N (k ,0) - 0 if k ^ 0. Also, we adopt the convention that 
N(k,m) — 0 if k < 0 and m > 0. With these conventions, we obtain the following recurrence, 
valid for n, m > 0: 

N(n,m) -2 2) N <*-rkJc-ti ( r+/tfc)_1 ) . (A.3) 

Jk-1 r > 1 ^ 

To prove the validity of (A.3), note that any polynomial fix) of degree n, all of whose irreducible 
factors are of degrees < m , can be written uniquely as 

/(*) -gCx) JJ «(x)' (mW) , 

bCc) 

where the utx) are all of degree k for some k, 1 < A: < m, 2 aOitx)) - r for some r € Z + , and 
gbc) is a polynomial of degree n—rk, all of whose irreducible factors are of degrees < k— 1. Given 
and r, there are N(n-rk,k—l) such polynomials g(x). The number of II u(x) a0,Cx)) is the 
number of I(k) -tuples of nonnegative integers which sum to r, which is easily seen to equal 

f+Hk)-^ 

This proves (A.3). 
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Table 7. "Values of /Ot), the number of irreducible binary polynomials of degree n. 



n 


/(h) 


1 


2 


2 


1 


3 


2 


4 


3 


5 


6 


6 


9 


7 


18 


8 


30 


9 


56 


10 


99 


1 1 


186 


12 


335 


i -i 
i j 




14 


1161 


15 


2182 


16 


4080 


17 


7710 


18 


14532 


19 


27594 


20 


52377 



The recurrence (A.3) was used to compute the probabilities p(n,m) listed in Appendix B. To 
estimate N(n,m) asymptotically, we use different techniques. The method we use differs from those 
used to study the analogous problem for ordinary integers (see [29,31,39,46]), and relies on the 
saddle point method [15]. With extra effort, it is capable of producing much more refined estimates 
than we obtain over much greater ranges of n and m. However, in order to keep the presentation 
simple, we consider only the ranges most important for cryptographic applications. 

Theorem Al. Let 



(A.4) 



and 



biz) 



■Or) 



_ T/( ,. }i fc(*-l) z *-» kh*- 1 

£ nk) \ i-,* + (w>* 



(A.5) 



Then, for n U100 < m < n W100 , we have 



299 



1/2 



N(.n,m) ~ 2irMro) / m W'o"" as n 



wto /• — r 0 — r 0 (msi) is the unique positive solution to 

f 



r — (r) -b. 

7 m 



CW/ary ,42. If n 1/100 < m < n w,0 °, rAen 



N(n,m) - 2" 



(I+o(l))n/m 



OS B 



Corollary A3. If n 1/100 < m < n 99 ^ 00 , and 0 < k < 2m, then 



N(n+k,m) * 
iV(/t,m) 



— log, — 
m m 



klm 



as n — °° . 



Proof of Theorem Al. It is immediate from (A.4) that 

/»(*) - ft (l+z k +z 2k +...) Hk) - 2 N(njn)z" 



i-1 



a-0 



Hence, by Cauchy's theorem, 



N(n,m)-^-7 f / m (z)z-"- 1 rf2 



(A.6) 



(A.7) 



(A.8) 



(A.9) 



(A. 10) 



(A.ll) 



2x 

where r is any real number with 0 < r < 1. As usual in the saddle point method, we determine 
r — r 0 by the condition (A.7), which is equivalent to 



(A. 12) 



Since l(k) > 0, it is clear that (A. 12) has a unique solution r - r 0 with 0 < r 0 < 1- We next 
estimate r 0 and f m (r^>- We consider n 1/100 < /n «S n" llc , » -* », and take 



r -exp(^£JL-log2), 1(T 3 < a < 10\ 



(A. 13) 



say. (All logrithms are to base e in this appendix.) Then, by (A.2), 
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Jk-i l ~ r k-i i~ r 



as n — oo (uniformly in tw satisfying « 1/10 ° < w < n 99 ' 100 , as will be the case throughout the rest 
of the exposition) , and so 



2 ^rzr- - 2 2*'* + 0(1) 



-)m _m_i 

-2r V , 1 +0(1) (A.14) 
2r-l 

m(l+Q(n~ a +m'' log n)) „ 

— n . 

a log n 

We conclude that r — r 0 is given by (A. 13) with or — ao satisfying 

ao "" (log n/m + log log n/m + o(l)) (log «)"' , (A. 15) 

so that 

_ M^Z* as „ „ , (A.16) 
log n 

and that 

2 m rfi — aonm-'log n . (A.17) 
From (A.17) and (A.2) we easily conclude that 

2 ~ /(*) log (l-r§) - 2 k~ l 2 k 4 + 0(1) , (A.18) 
t-i *-i 



b(ro) - (— 0-)) ],_,, - 2 i ; — I + 



~ 4m« , (A.19) 



(y^ (r))"|,_ r ,- 0(m 2 /i) . (A.20) 

7 m 



We now use the above estimates to carry out the saddle point approximation, which proceeds 
along very standard lines (cf. [15]). We choose 

0Q _ m -l/2„-5 W1 200 

If we let 
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a Oq) - log f m (ro) - n log r 0 , 
then by (A.12), (A.19), and (A.20) we obtain, for |0| < 8 0 , 

log f m {re ie ) - n log r - ind - a(r^ - jbirjP + 0(m 2 n\6\ 3 ) 

- a(ro) - yM^fl 2 + 00* "V 1 "/ 400 ) . 

Therefore 

- (2 1 rA(ro))- l/2 / m (ro)ro"(l+0(m I/J «- I W 400 )) . 

It remains only to show that the integral over 0 O < \B\ < x is negligible. Now for z — re", r — r 0 , 
and m* - [999m/1000], we have 



log f m (r) - log \f m iz)\ - 2 /(A:) log 



l-z* 



- 2 Jt _1 2* (log | l-z* | - log(l-r*)} + 0(1) 

k-l 

- 2 * _1 2*r* (1-cos k6) + 0(1) 
t-i 

> m-^^r"*" 2 ('-cos jfctf) + 0(1) . 



(A.21) 



If |0| > 10 4 w say, the right side above is 



m — m + 



sin (m + -r)0— sin (m* + — )0 
2 2 



2 sin 0/2 



+ 0(1) 



> Kr*2 m 'r"*' + O(l) 



> 10- 5 Wm) 9W,00 ° + 0(1) 
If B Q < |0| < 10 4 m"', on the other hand, 



(A.22) 
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1-cos kB > 1-cos lc6 0 > 10 _3 mn- 599/6O ° , m" < k < m , 
and the last quantity in (A.21) is 

> lO- 6 m 1/loo V /15OO +0(l) . (A.23) 
Combining the estimates (A.22) and (A.23), we conclude that for Bo < \B\ < ir, 

log/ m 0-) -log \f m (z)\ > <« s 

for some t, 5 > 0, and so the integral over that range is indeed negligible compared to the integral 
over |0| B 0 . 

When we combine all the results obtained above, we obtain the estimate (A.6) of the theorem. 
Proof of Corollary A2. By (A. 19), we know that bir^—Amn. Now 

— n log r 0 — ft log 2 — a 0 log n (A.24) 

m 

-ft log 2- (l+o(l))— log — . 

m m 

Furthermore, by (A. 17), 

l k r\ - 0(n 1/2 ;rr 1/2 log ft), k < m/2 , 

so 

2 fc _1 2*r§ - O(ft 1/2 m- 1/2 0ogft) 2 ) + OimrT 1 ) , 



and so by (A. 18), 



log/ m (r) - o(— log—) 



This proves the estimate (A.8) of the corollary. 

Proof of Corollary A3. We first study how r 0 — r 0 (ft, m) varies with n. Letting n be a continuous 
variable defined by (A. 12) (with m fixed and r varying), we find that (as in (A. 19) and (A.20)) 
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9* 
dr 



~ Imn 



(A.25) 



and for |r-r 0 | - O («"'), 



dr 2 



0{m 2 n) 



Hence for 0 < k < 2m, 



5 = r 0 (n+k, m)—r 0 (n, m) ~ k(2mn)~ 



(A.26) 



Therefore 



where 



l°gfm(r 0 (n+k, m)) - log f m (r 0 {n, m)) 
(r 0 (r,k)) + 0(5 2 M) , 

J m 



M - max (r)| - Oimn) 

r.Oi, t) < r < r.Oi, *)+« / m 



and so 

log /„,(/•„ m)) - log/ m (r 0 (n, m)) ~ fc/m 

Since by (A. 19), 

b(r Q (n+k, m)) — b(r 0 (,n, m)) — 4m/i , 
we finally obtain, for r — r 0 (n, m), 

N(n+k, m) 



N(n, m) 



~- exp iklm) r-Hl+Sr'T" 



~iH— log -2-)-""" 

m m 



(A.27) 



which yields the desired result. 
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Appendix B. Values of p{n,k), the probability that a random polynomial over GF(2) of degree 
will have all its irreducible factors of degrees < k, for various values of n and for 1 < k < 40. 



n - 10 












1 


1.07422E-02 


3.51562E-02 


1.08398E-01 


2.22656E-01 


3.95508E-01 


6 


5.36133E-01 


6.76758E-01 


7.93945E-01 


9.03320E-01 


1.00000E+00 


11 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


16 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


21 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


26 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


31 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


36 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 



n - 20 



1 


2.00272E-05 


1.15395E-04 


8.44955E-04 


3.95012E-03 


1.65253E-02 


6 


4.19769E-02 


9.27200E-02 


1.58895E-01 


2.41888E-01 


3.33941E-01 


11 


4.24762E-01 


5.06549E-01 


5.83453E-01 


6.54315E-01 


7.20904E-01 


16 


7.83160E-01 


8.41983E-01 


8.97418E-01 


9.50049E-01 


1.00000E+00 


21 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


26 


1.00000E+OO 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


31 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


36 


1.000OOE+OO 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 



n - 30 



1 


2.887 10E-08 


2.38419E-07 


3.20468E-06 


2.89446E-05 


2.70738E-04 


6 


1. 30629 E-03 


5.32556E-03 


1.46109E-02 


3.27337E-02 


6.05388E-02 


11 


9.95504E-02 


1.46035E-01 


2.00105E-01 


2.59328E-01 


3.23701E-01 


16 


3.85957E-01 


4.44780E-01 


5.0021 5E-01 


5.52846E-01 


6.02797E-01 


21 


6.50413E-O1 


6.95845E-01 


7.39323E-01 


7.80979E-01 


8.20979E-01 


26 


8.59436E-01 


8.96473E-01 


9.32185E-01 


9.66668E-01 


1.00000E+00 


31 


1.0000OE+OO 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


36 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 


1.00000E+00 



n - 40 



1 


3.72893E-11 


4.01087E-10 


8.58199E-09 


1.33864E-07 


2.58580E-06 


6 


2.331 14E-05 


1.79979E-04 


8.13273E-04 


2.79863E-03 


7.24926E-03 


11 


1.58528E-02 


2.93316E-02 


4.89490E-02 


7.46204E-02 


1.05880E-01 


16 


1.41606E-01 


1.81373E-01 


2.24427E-01 


2.70539E-01 


3.19242E-01 


21 


3.66858E-01 


4.12290E-01 


4.55768E-01 


4.97424E-01 


5.37424E-01 


26 


5.75881E-01 


6.12918E-01 


6.48630E-01 


6.831 13E-01 


7.16445E-01 


31 


7.48703E-O1 


7.79953E-01 


8.10256E-01 


8.39667E-01 


8.68239E-01 


36 


8.96016E-O1 


9.23043E-01 


9.49359E-01 


9.75000E-01 


1.00000E+00 
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1 

6 
11 
16 
21 
26 
31 
36 



n - 60 

1 

6 
11 
16 
21 
26 
31 
36 



n - 70 

1 

6 
11 
16 
21 
26 
31 
36 



n - 80 

1 

6 
11 
16 
21 
26 
31 
36 



n - 90 

1 

6 
11 
16 
21 
26 



4.52971E-14 
2.83341E-07 
1.89641E-03 
4.27905E-02 
1.70678E-01 
3.55219E-01 
5.28041E-01 
6.75354E-01 



6.00409E-13 
4.15352E-06 
4.51306E-03 
6.17055E-02 
2.04341E-01 
3.92256E-01 
5.59290E-01 
7.02381E-01 



1.87370E-11 
3.15683E-05 
9.32956E-03 
8.43781E-02 
2.40042E-01 
4.27968E-01 
5.89593E-01 
7.28697E-01 



4.64628E-10 
1.70819E-04 
1.69499E-02 
1.10392E-01 
2.77562E-01 
4.62450E-01 
6.19005E-01 
7.54338E-01 



1.72661E-08 
6.37026E-04 
2.80019E-02 
1.39255E-01 
3.16762E-01 
4.95783E-01 
6.47576E-01 
7.79338E-01 



5.29091E-17 
2.587 18E-09 
1.80902E-04 
1.10167E-02 
7.13458E-02 
1.91288E-01 
3.47376E-01 
4.94689E-01 



8.33535E-16 
7.15988E-08 
5.62442E-04 
1.791 10E-02 
9.13458E-02 
2.20330E-01 
3.78625E-01 
5.21716E-01 



3.57405E-14 
9.24769E-07 
1.45972E-03 
2.71835E-02 
1.13563E-01 
2.50714E-01 
4.08928E-01 
5.48032E-01 



1.32500E-12 
8.00984E-06 
3.2078 1E-03 
3.9101 1E-02 
1.37747E-01 
2.82341E-01 
4.38340E-01 
5.73673E-01 



8.91426E-11 
4.38229E-05 
6.25179E-03 
5.38207E-02 
1.63715E-01 
3.15118E-01 
4.6691 1E-01 
5.98673E-01 



6.01393E-20 
1.88957E-11 
1.43153E-05 
2.47391E-03 
2.66552E-02 
9.65101E-02 
2.06566E-01 
3.41723E-01 



1.09775E-18 
9.76926E-10 
5.88968E-05 
4.57774E-03 
3.65932E-02 
1.15878E-01 
2.32034E-01 
3.68750E-01 



6.19062E-17 
2.15538E-08 
1.94202E-04 
7.79633E-03 
4.85857E-02 
1.36683E-01 
2.58460E-01 
3.95065E-01 



3.27368E-15 
3.02670E-07 
5.22033E-04 
1.24157E-02 
6.26843E-02 
1.58803E-01 
2.85782E-01 
4.20706E-01 



3.78790E-13 
2.46433E-06 
1.21092E-03 
1.86403E-02 
7.87250E-02 
1.82129E-01 
3.13945E-01 
4.45706E-O1 



6.70016E-23 
1.15256E-13 
9.66482E-07 
4.95625E-04 
9.1 4845 E-03 
4.48677E-02 
U7636E-01 
2.18311E-01 



1.39049E-21 
1.09894E-11 
5.31900E-06 
1.05199E-03 
1.35494E-02 
5.65725E-02 
1.35888E-01 
2.40962E-01 



9.97836E-20 
4.14853E-10 
2.25093E-05 
2.01760E-03 
1.92187E-02 
6.983 14E-02 
1.55151E-01 
2.64330E-01 



7.25067E-18 
9.531 39E-09 
7.46852E-05 
3.56457E-03 
2.62653E-02 
8.45073E-02 
1.75351E-01 
2.88376E-01 



1.38122E-15 
1.168 15E-07 
2.07615E-O4 
5.87520E-03 
3.47883E-02 
1.00477E-O1 
1.96424E-01 
3.13064E-01 



7.35092E-26 
6.05742E-16 
5.68482E-08 
8.99488E-05 
2.90283E-03 
1.96783E-02 



1.70929E-24 
1.05018E-13 
4.22404E-07 
2.19926E-04 
4.64261E-03 
2.59683E-02 



1.52104E-22 
6.77815E-12 
2.31429E-06 
4.77206E-04 
7.06931 E-03 
3.34221E-02 



1.47329E-20 
2.56475E-10 
9.54889E-06 
9.41494E-04 
1.03132E-02 
4.20997E-02 



4.45086E-18 
4.77572E-09 
3.20299E-05 
1.71113E-03 
1.44861E-02 
5.20539E-02 
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31 
36 


6.32769E-02 
1.35270E-O1 


7.567 10E-02 
1.52328E-01 


8.91447E-02 
1.70136E-01 


1.03616E-01 
1.88646E-01 


1.19013E-O1 
2.078 17E-01 


- 100 












1 

6 
11 
16 
21 
26 
31 
36 


7.96750E-29 
2.80812E-18 
2.96075E-09 
1.49474E-05 
8.60536E-04 
8.14723E-03 
3.23535E-02 
8.05132E-O2 


2.05183E-27 
8.72341E-16 
2.99434E-08 
4.23006E-05 
1.49335E-03 
1.13206E-02 
3.99608E-02 
9.29404E-02 


2.217 18E-25 
9.60294E-14 
2.14020E-07 
1.04387E-04 
2.44477E-03 
1.52676E-02 
4.85939E-02 
1.06160E-01 


2.79208E-23 
6.01224E-12 
1.10537E-06 
2.30656E-04 
3.80487E-03 
2.00530E-02 
5.82726E-02 
1.20121E-01 


1.29509E-20 
1.71395E-10 
4.50209E-06 
4.63358E-04 
5.67219E-03 
2.57320E-02 
6.89360E-O2 
1.34775E-01 


- 120 












1 

6 

11 

16 

21 

26 

31 

36 


9.10303E-35 
4.43640E-23 
5.85613E-12 
3.28256E-07 
6.33049E-O5 
1.20819E-03 
7.52560E-O3 
2.53799E-02 


2.79937E-33 
4.23359E-20 
1.12008E-10 
1.26087E-06 
1.30082E-04 
1.86404E-03 
9.98318E-03 
3.07891E-02 


4.24841E-31 
1.33993E-17 
1.38923E-09 
4.06533E-06 
2.48115E-04 
2.76800E-03 
1.29596E-02 
3.68775E-02 


8.51575E-29 
2.31621E-15 
1.14391E-08 
1.13862E-05 
4.43550E-04 
3.97434E-03 
1. 64949 E-02 
4.36690E-02 


8.58548E-26 
1.57566E-13 
6.97729E-08 
2.82395E-05 
7.50092E-O4 
5.54048E-O3 
2.06246E-02 
5.11857E-02 


- 140 

1 

6 
11 
16 
21 
26 
31 
36 


1.01163E-4Q 
5.04962E-28 
8.08426E-15 
5.55000E-09 
3.80057E-O6 
1.51678E-04 
1.51926E-03 
7.10258E-03 


3.61674E-39 
1.39814E-24 
2.99212E-13 
2.9343 1E-08 
9.32833E-06 
2.61437E-04 
2.17048E-03 
9.09777E-03 


7.33734E-37 
1.24688E-21 
6.58221E-12 
1.25224E-07 
2.08939E-05 
4.29945E-04 
3.01880E-03 
1.14637E-02 


2.19965E-34 
5.97886E-19 
8.81292E-11 
4.49650E-07 
4.321 32E-05 
6.78498E-04 
4.09904E-03 
1. 42271 E-02 


4.41316E-31 
9.87955E-17 
8.19347E-10 
1.39106E-06 
8.34419E-05 
1.03218E-03 
5.44782E-03 
1.74120E-O2 



n - 160 



1 


1.10161E-46 


4.48922E-45 


1.17344E-42 


5.01669E-40 


1.86681E-36 


6 


4.44249E-33 


3.38239E-29 


8.30467E-26 


1.10376E-22 


4.48551E-20 


11 


8.22931E-18 


6.00596E-16 


2.38665E-14 


5.28278E-13 


7.59978E-12 


16 


7.51169E-11 


5.53295E-10 


3.15918E-09 


1.46872E-08 


5.71758E-08 


21 


1.91933E-07 


5.66887E-07 


1.501 11E-06 


3.61395E-06 


8.01344E-O6 


26 


1.65279E-05 


3.19895E-05 


5.85387E-05 


1.01940E-04 


1.69814E-04 


31 


2.71850E-O4 


4.19968E-04 


6.28482E-04 


9.13982E-04 


1.29497E-03 


36 


1.79151E-03 


2.42504E-03 


3.21815E-03 


4.19454E-03 


5.37894E-03 



n - 180 
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1 

6 
11 
16 
21 
26 
31 
36 



n - 200 

1 

6 

11 

16 

21 

26 

31 

36 



n - 250 

1 

6 

11 

16 

21 

26 

31 

36 



n - 300 

1 

6 

11 

16 

21 

26 

31 

36 



n - 350 

1 

6 

11 

16 

21 

26 



1. 18108 E-52 
3.17410E-38 
6.43456E-21 
8.37861E-13 
8.33948E-09 
1.59242E-06 
4.38309E-O5 
4.12329E-04 



5.40360E-51 
6.32280E-34 
9.40765E-19 
8.68865E-12 
2.98308E-08 
3.47604E-06 
7.34728E-05 
5.91651E-04 



1.76869E-48 
4.17015E-30 
6.85942E-17 
6.70002E-11 
9.39352E-08 
7.10546E-06 
1.18633E-04 
8.29679E-04 



1.03860E-45 
1.52942E-26 
2.54621E-15 
4.06745E-10 
2.64665E-07 
1.37023E-05 
1.85151E-04 
1.13916E-03 



6.76840E-42 
1.54164E-23 
5.74207E-14 
2.00783E-09 
6.77278E-07 
2.50828E-05 
2.80190E-04 
1.53389E-03 



1.25083E-58 
1.90979E-43 
3.98840E-24 
7.87667E-15 
3.1724OE-10 
1.37605E-07 
6.44534E-06 
8.7648 1E-05 



6.348 10E-57 
9.50701E-39 
1.18400E-21 
1.16065E-13 
1.38215E-09 
3.40048E-07 
1.17526E-05 
1.33598E-04 



2.54336E-54 
1.64269E-34 
1.60566E-19 
1.21882E-12 
5.20253E-09 
7.79144E-07 
2.05210E-O5 
1. 98241 E-04 



1.99006E-51 
1.65088E-30 
1.01212E-17 
9.73478E-12 
1.72365E-08 
1.66938E-06 
3.44554E-05 
2.870 13E-04 



2.16542E-47 
4.15085E-27 
3.61920E-16 
6.13504E-11 
5.11289E-08 
3.36899E-06 
5.58425E-05 
4.06290E-04 



1.38731E-73 
9.43320E-57 
1.60958E-32 
3.56248E-20 
5.44802E-14 
2.01111E-10 
3.785 15E-08 
1.35288E-06 



8.77490E-72 
3.88248E-51 
2.94386E-29 
1.30783E-18 
3.96906E-13 
6.87289E-10 
8.60400E-08 
2.41546E-06 



5.40876E-69 
6.6900 1E-46 
1.97886E-26 
3.06590E-17 
2.37961E-12 
2.12261E-09 
1.84519E-07 
4.15966E-06 



7.83967E-66 
8.021 16E-41 
4.90886E-24 
5.000 10E- 16 
1.20333E-11 
5.99202E-09 
3.75441E-07 
6.93046E-06 



2.60927E-61 
2.00422E-36 
5.79891E-22 
5.95292E-15 
5.24971E-11 
1.56105E-08 
7.28331E-07 
1.12015E-05 



1.47764E-88 
2.48750E-70 
2.33703E-41 
7.51397E-26 
5.170O7E-18 
1.80862E-13 
1.47287E-10 
1.46051E-08 



1.1 1932E-86 
6.82386E-64 
2.77543E-37 
7.16126E-24 
6.45934E-17 
8.69349E-13 
4.22472E-10 
3.08299E-08 



9.83244E-84 
1.01320E-57 
9.78889E-34 
3.88900E-22 
6.31276E-16 
3.67642E-12 
1.12559E-09 
6.21540E-08 



2.37616E-80 
1.35211E-51 
1.00885E-30 
1.33922E-20 
4.97725E-15 
1.38762E-11 
2.805 12E-09 
1.20132E-07 



2.02941E-75 
3.35347E-46 
4.14030E-28 
3.10487E-19 
3.25700E-14 
4.73123E-11 
6.57962E-09 
2.23377E-07 



1.53041-103 
4.15490E-84 
1.47173E-50 
8.44461E-32 
3.007 16E-22 
1.08953E-16 



1.35060-101 
6.3629 1E-77 
1.17990E-45 
2.16145E-29 
6.57878E-21 
7.46950E-16 



1.60284E-98 
7.12431E-70 
2.28345E-41 
2.80349E-27 
1.06830E-19 
4.38196E-15 



5.99444E-95 
9.81396E-63 
1.02142E-37 
2.09567E-25 
1.33657E-18 
2.23833E-14 



1.15598E-89 
2.38010E-56 
1.51735E-34 
9.70161E-24 
1.33338E-17 
1.01023E-13 



308 



31 


4.08092E-13 


1.49196E-12 


4.98491E-12 


1.53517E-11 


4.39066E-11 


36 


1.17397E-10 


2.95185E-10 


7.01651E-10 


1.58406E-09 


3.41082E-09 


- 400 












1 


1.55291-118 


1.56457-116 


2.41161-113 


1.32035-109 


5.21575-104 


6 


4.9026OE-98 


3.61544E-90 


2.70641E-82 


3.56518E-74 


8.25910E-67 


11 


4.58566E-60 


2.55583E-54 


2.81416E-49 


5.66577E-45 


3.15379E-41 


16 


5.55533E-38 


3.93027E-35 


1.24956E-32 


2.07597E-30 


1.96036E-28 


21 


1.15333E-26 


4.49726E-25 


1.23335E-23 


2.4855 1E-22 


3.83276E-21 


26 


4.6678 1E-20 


4.61886E-19 


3.80O7OE-18 


2.65470E-17 


1.60138E-16 


31 


8.47073E-16 


3.98086E-15 


1.68143E-14 


6.44748E-14 


2.26456E-13 


36 


7.34282E-13 


2.21339E-12 


6.24107E-12 


1.65527E-11 


4.14991E-H 


- 450 












1 


1.55124-133 


1.75679-131 


3.41223-128 


2.61980-124 


1.96368-H8 


6 


4.40044-112 


1.37925-103 


6.19409E-95 


7.23803E-86 


1.55644E-77 


11 


7.79521E-70 


3.08892E-63 


1.99379E-57 


1.86331E-52 


4.0036 lE-48 


16 


2.29399E-44 


4.59937E-41 


3.66621E-38 


1.38170E-35 


2.7H37E-33 


21 


3.07933E-31 


2.17355E-29 


1.02106E-27 


3.35795E-26 


8.10087E-25 


26 


1.48691E-23 


2.14569E-22 


2.50052E-21 


2.40980E-20 


1.95927E-19 


31 


1.36783E-18 


8.32458E-18 


4.47600E-17 


2.15115E-16 


9.33645E-16 


36 


3.69290E-15 


1.34195E-14 


4.51235E-14 


1.41305E-13 


4.14464E-13 


- 500 












1 


1.53052-148 


1.92464-146 


4.59900-143 


4.78471-139 


6.39731-133 


6 


3.16656-126 


3.79129-117 


9.26531-108 


8.93129E-98 


1.72679E-88 


11 


7.79518E-80 


2.23403E-72 


8.66735E-66 


3.86142E-60 


3.28692E-55 


16 


6.27531E-51 


3.64507E-47 


7.43 141 E-44 


6.46943E-41 


2.68186E-38 


21 


5.96843E-36 


7.73090E-34 


6.29946E-32 


3.42O03E-30 


1.30459E-28 


26 


3.6447 1E-27 


7.74067E-26 


1.28847E-24 


1.72694E-23 


1.90660E-22 


31 


1.76903E-21 


1. 40341 E-20 


9.66536E-20 


5.85587E-19 


3.15796E-18 


36 


1.53163E-17 


6.74271E-17 


2.71643E-16 


1.00884E-15 


3.47656E-15 
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Abstract 

It is generally accepted that data encipherment is needed for 
secure distributed data processing systems. It is accepted, 
moreover, that the enciphering algorithms are either published or 
must be assumed to be known to those who wish to break the 
security. Security then lies in the safe keeping of the 
encipherment keys, which must be generated and stored securely 
and distributed securely to the intending users. 

At an intermediate level of detail of a system it may be useful 
to have functions which manipulate keys explicitly but which hide 
some of the details of key generation and distribution, both for 
convenience of use and so that new underlying techniques can be 
developed. This paper offers a contribution to the discussion. It 
proposes key manipulation functions which are simple from the 
user's point of view. It seeks to justify them in terms of the 
final secure applications and discusses how they may be 
implemented by lower level techniques described elsewhere. The 
relationship of the functions to telecommunication standards is 
discussed and a standard form is proposed for encipherment key 
information . 
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1 . Introduction 

It is generally accepted that data encipherment is needed for 
secure distributed data processing systems. It is accepted, 
moreover, that the enciphering algorithms are either published or 
must he assumed to be known to those who wish to break the 
security. Security then lies in the safe keeping of the 
encipherment keys, which must be generated and stored securely 
and distributed securely to the intending users. A number of 
schemes have been proposed, and in some cases implemented, to 
manipulate keys securely. For example refs. 1, 2 and 3 describe 
different methods and offer different but overlapping sets of 
facilities to the user. It is likely that new methods will be 
developed and that some part of these methods should be hidden 
from the user. Since the subject has clearly not reached a 
stable point it is very likely that any attempt at present to 
establish a standard user interface will soon need revision. 
Nevertheless, this paper is written on the assumption that a 
discussion of such an interface is useful, since it helps to 
identify the common features of different schemes and to gain 
some idea of which features will become generic and which become 
part of the underlying mechanisms. 

At some level the user does not concern himself with the 
manipulation of keys or with explicit commands to encipher and 
decipher data. He asks for a secure connection to another user 
or for a securely stored file and can assume that such details 
are thereby taken care of. At a lower level software and hardware 
logic exists which deals with things such as how keys are 
generated, how data encipherment keys and key encipherment keys 
are kept distinct and the manner of transporting a data 
encipherment key to a remote user. 

At an intermediate level of detail it may be useful to have 
functions which manipulate keys explicitly but which hide some of 
the details, both for convenience of use and so that new 
underlying techniques can be developed. This paper discusses this 
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intermediate level. In doing so it must make assumptions about 
which functions are primitive at this level. For example, since a 
digital signature may be achieved by enciphering a message 
digest, using the secret member of a public key pair, one might 
decide that it is an application to be . programmed in terms of 
encipherment primitives and does not give rise to specific 
primitive operations. This view is invalidated by signature 
techniques which do not depend upon encipherment. Similarly 
there is implicit in such an interface a judgement of which of 
the details which should be hidden. Ref. 4 describes a key 
distribution centre. In an appropriate context software at some 
level submits a request to a key distribution centre (KDC) for a 
key which can be used to communicate securely with an intended 
correspondent. We may wish to produce software which needs no 
modification when moved from such an environment to one where the 
system supporting the application user keeps records to enable it 
to issue keys securely to all members of the community. If this 
is so we should hide the use or non use of the KDC, but we judge 
in doing so that the user at that level has not lost needed 
flexibility. Such judgements as these are made in what follows 
and the reasons for them are discussed. 



2. The Functions 



This section describes a set of functions to generate and 
manipulate keys. The intention is that they appear simple to the 
user. The user is somewhat ill defined, but well enough, it is 
hoped, for the benefit of the discussion. One candidate is 
certainly an application process which makes use of an 
application service as defined in the Open Systems 
Interconnection model (see ref. 8) and which wishes to perform 
explicit data encipherment. Another candidate is the logic of a 
transport layer entity in the Open Systems Interconnection model 
which offers a secure service to users of the transport service 
and which, therefore, sends a data enciphering key to a remote 
transport entity. The functions are as follows. 
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i) Generate key(t,s) meaning generate for me a key or a 
pair of keys of type t and return to me, as the result 
of this function, the local name of the item containing 
the key or keys. The type shows, among other things, 
whether a symmetric or asymmetric algorithm is 
involved. In the former case a single key is generated 
and returned as the result of the function. In the 
latter case the enciphering and deciphering pair is 
generated and returned. The local name is subsequently 
used subscripted by 1 or 2 to indicate an individual 
member of a key pair thus generated or unsubscripted to 
mean the single key generated or the complete item 
containing the key pair. s is a 64 bit string, 
supplied by the caller, which is to be used by the key 
generation function. The caller does not know the 
cleartext value of the key generated but is assured 
that the same t and s values in a subsequent call 
generate the same key or keys, s may be omitted, in 
which case the values generated, as far as the caller 
is concerned, are random. His chance of generating 
them again is random. The type t is an integer. 
Possible meanings assigned to its values are: 
a key enciphering key (KEK) for DEA1 , 
a data enciphering key (DEK) for DEA1 . 
an RSA key pair to be used for enciphering keys. 
Other meanings, to which values might be assigned, are 
discussed in section 3- 

N.B. this function and the next two have a result. The 
assumption is that the user has a notation which 
enables him to write something like 

x := generate key ( y, z). 
The variable which is to hold the result could be 
written as another parameter. This is a matter of 
taste . 

ii) Give key(k.q) meaning send my key whose local name is k 
securely to the user known to me as q. Assign to the 
key a common reference number which we may use in 
messages to each other and in communicating with our 
local encipherment services (of which this function 
forms a part). Make the reference number available to q 
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and return it to me as the result of this function. 
N.B. the exact manner of making it known to q that the 
key is available for him is not considered here. In an 
implementation it would not be a trivial issue. 
Similarly although we may assume that the services at 
the users' locations acknowledge receipt to each other 
there is need to consider whether the end user should 
do so as well. The assumption here is that if this is 
done it is separate from the basic functions needed for 
key distribution. 

iii) Mutual key(t,q,s) meaning generate a mutual key for me 
and user q. Use seed s and give the key type t. t and 
s are as in "generate key", s may be omitted to obtain 
a random key. Assign to the key a common reference 
number and make it available to q and return it to me 
as the result of this function. 

iv) Take key ( r , q ) meaning make the key whose reference 
number is r unavailable to user q. 

v) Destroy key(K) meaning destroy the key identified by K. 

K may be a local name of a key, created by "generate 
key" or a reference number created by "give key" or 
"mutual key" 



5. Use of the Functions 



This section considers the functions of section 2 in the light of 
applications of encryption and related techniques. 

3 • 1 Connection Establishment and User Authentication 

When establishing a connection between two users so that they may 
exchange messages protected by encryption (for example if they 
use an insecure telecommunication link) both users (or their 
local services) must be provided with a key and the users must be 
authenticated to each other's satisfaction. "Give key" and 
"mutual key" may both be used to send a key to a remote user (the 
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reason why both exist is discussed in section 4)- A reasonable 
requirement of either of these functions is that it delivers the 
key, guarantees to the initiator that the recipient is the user 
requested, tells the recipient from whom the key came and 
guarantees that he, in his turn, is who he claims to be , i.e. not 
just a legitimate user of the service. This is illustrated in 
figure 1., where A is one of a number of users of the A service 
and B is one of a number of users of the B service. The A 
service is used by A in a controlled environment in which the 
identity of A is assured (for example the process which 
represents him has been initiated after the submission of a 
password to a control program which controls access to resources, 
one of which is the A service). B has the same relationship to 
the B service. The route between the A service and the B service 
is assumed to be insecure in the absence of encipherment . 



A service B Service 

Fig. 1 



After receiving a request from A to deliver a key to B the A 
service, having discovered the route, sends it to the B service, 
suitably enciphered by a KEK. The A service and the B service 
must authenticate each other. Their manner of doing this depends 
upon a number of factors , including whether a KDC is involved and 
whether the KEK is a public or secret key. Methods are 
discussed, for example, in refs.4 and 7- For example, ref. 4 
describes protocols for sending a DEA1 key, first when it is 
protected by DEA1 encryption and secondly when it is protected by 
public key encryption. In both cases the protocol is described 
in terms of a user A who wishes to send a key to another user B, 
with the aid of a KDC (see fig. 2). 
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Fig. 2 



In the first case the protocol has three logical parts viz: 

i) A obtains securely from KDC two copies of the key, one 
enciphered by A's KEK and the other enciphered by B's KEK. 

ii) A sends to B the copy enciphered by B's KEK. 

iii) A and B use the key to exchange authentication protocol. 

In the second case the protocol has four logical parts viz: 

i) A obtains securely from KDC B's public key and the key to 
be used. 

ii) A sends to B the key enciphered by B's public key. 

iii) B obtains securely from KDC A's public key. 

iv) A and B exchange authentication protocol. 

(For details of the values exchanged to cope with particular 
security problems see ref. 4.) 

Either of these methods may be hidden from the users at the level 
proposed for them here. The appropriate interchanges are 
initiated by the function 'mutual key'. A possible improvement 
in underlying protocols to remove as yet unknown security flaws 
is also hidden from them. 

Once the two services have authenticated each other they may 
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trust each other to have authenticated the users they serve and 
therefore to give A and B a service which authenticates the 
remote user. 

Having obtained a mutual key, the tvo users, if they are 
particularly suspicious, may wish to exchange further messages to 
convince themselves of each other's genuineness. This must 
depend upon further secret information, which becomes vulnerable 
if it is sent to the other, as yet untrusted, party, using the 
newly established connection. They may, for example, exchange 
passwords using the protection of the connection they do not 
quite trust. If a correct reply password is not received within 
the permitted number of attempts the first one is compromised and 
there is a suspicion that the key distribution service is in 
error. The users may, on the other hand, have private 
encipherment keys, previously delivered, which they use only to 
protect their private authentication protocol. If the protocol 
reveals a doubt of correct identity no secret user information is 
compromised but, as before, the trustworthiness of the key 
distribution service is in doubt. This kind of consideration is 
inevitable if there is a standard service which distributes keys 
and attempts to guarantee that the sender and recipient are 
genuine. An alternative is that the service does not use 
encipherment to authenticate the users, but leaves it to them. 
Another is that the identity of the recipient is guaranteed but 
that he is only sure that the originator is an authorised user of 
the key distribution service. Neither of these possibilities 
seems as useful since one or both users must either risk 
compromising secret information or must hold a key personally. 
They may well do so but they should not be forced to. 

Another point to consider is that a user who wishes to' connect to 
a remote resource may not be directly identifiable by that 
resource. For example, a database interrogation service may 
contain no check of its user's authority, assuming that his 
identity was established as part of the identification procedure 
when he logged in and that the resources at his disposal, 
including the interrogation service, were thereby decided. There 
will then be an entity, at the same location as the user who 
wishes to connect, which is concerned with resource allocation, 
which knows which users are allowed to use which resources and 
which checks permission before allowing the user's connection to 



325 



be made. This entity has a privileged position in remote user 
authentication in that it is trusted by remote parts of the 
service (entities of the same kind as itself) to guarantee that 
the users it serves are only given authorised connections. It is 
useful to build into the service some mechanism to guarantee to 
such privileged entities that they are communicating with their 
own kind. The simplest way of doing this is to design the 
control software so that all connections to remote processes are 
handled by such entities and that they check access permission at 
one or both of the sites involved. If we assume that this is not 
the case and that there is a need to make connections between 
processes which will do their own checking of authorisation then 
a possible way of identifying the entities which are to be given 
more trust is to allocate exclusively for their use a special 
type of key. The enc ipherment service guarantees to the remote 
encipherment service that such a key may only be used 
successfully by such an entity. Ref . 2 introduces the idea of 
type values which it is useful to bind securely to keys (e.g. DEK 
or KEK). A useful type value which is not mentioned there is one 
which guarantees that the key may be used only by an entity 
authorised to check access rights. 

There are applications where it is useful to be able to generate 
the same key at two remote sites rather than sending the key from 
one to the other and without sending values used to generate it 
via the telecommunication link. For example, a customer is 
supplied with a plastic card which is used to help identify him. 
The card contains a value which is to help generate the key to be 
used in sending information to a central installation. In 
addition he is required to type in a PIN value which also 
contributes. Another contributory value comes from the terminal 
into which he inserts his card (the terminal value may be changed 
periodically for greater security). The central installation 
holds these values. When it is told in clear who the customer and 
the terminal claim to be it generates a key using the stored 
values, knowing that the genuine terminal can generate the same 
on behalf of the genuine user. For this and similar cases the key 
generation functions in section 2 contain a seed value, with the 
assurance that the same seed will generate the same key. When an 
unrepeatable key is wanted the seed is omitted. There is, of 
course, a danger in this facility and it may well be that it 
should be denied to some users. 



326 



In making a request for a transport connection, as described in 
the Open Systems Interconnection model, it is envisaged that a 
user may ask that it be secure. The details of what this means 
are not yet spelled out but it certainly implies encipherment . A 
connection request message may contain 'security parameters' (see 
ref . 9) and we may suppose that they will indicate the key to be 
used, either as the actual key (suitably enciphered) or as a 
reference to a key already known to both parties. We may then 
consider the applicability of the functions described here. First 
if the two parties have an established mutual KEK used to 
encipher keys they wish to send each other the functions are not 
applicable. The key to be used for the connection is enciphered 
by a call on the sender's encipherment service. It may then 
either be placed in the connection request message or it may be 
sent beforehand (for example as one of a batch of keys to use 
that day) and a reference to it may be placed in the connection 
request message. If the two parties do not have such a mutual 
KEK and do not have a supply of session keys to choose from then 
the function 'mutual key' applies. However, it cannot be used to 
encipher the key which is then placed in the connection request 
because that is not its function. Its function is to deliver the 
key. Neither is it reasonable to suppose that a key should be 
extracted from the connection request as it passes from one KEK 
domain to another (and there may be such separate domains for 
security purposes). The use of 'mutual key' in this case is to 
establish a mutual key for the two end users so that they may use 
it to encipher the keys to be used subsequently for transport 
connection protection. It must be done as a separate previous 
operation and, at least the first time, must be sent over an 
'insecure' transport connection. This does not matter as the 
function handles its own security. 

3.2 Data Privacy ft Data Authentication 

Once keys have been successfully exchanged by the two end users 
of a telecommunication link or by their local services on their 
behalf data privacy may be achieved by data encipherment and 
decipherment. Each local service must therefore provide 
enciphering and deciphering functions. The user may also wish to 
encipher and decipher keys using key enciphering keys to produce 
and make use of key hierarchies. These topics are dealt with for 
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example in refs.1 and 2, which describe means of protecting keys 
such that they never appear in clear outside a trusted 
enc ipherment environment. They are relevant to this paper in 
that the user of the key manipulation facility needs the ability 
to operate explicitly upon keys of a chosen type, hut should not 
need to know how the types are indicated or need to be wary of 
operations upon keys of a particular type which might prejudice 
security- Data authentication and greater assurance of privacy 
are obtained by using particular modes of operation of 
enc ipherment (for example cipher block chaining or cipher feed 
back when using block ciphers) and by the addition of checking 
information (for example enciphered sum checks to reveal illicit 
modification and various identifying values to reveal illicit 
insertions and replays). These functions are not directly 
concerned with key generation and distribution and are not dealt 
with in this paper. 

3-3 Digital Signatures 

A digital signature depends upon a sender using a key that no one 
else has and the receiver being able to demonstrate that the key 
has been used. To do this the sender may use the secret key of a 
public key cipher, such as RSA, and make the public key available 
to the receiver (ref.5)- Using the functions described here a 
type value would be assigned to mean a public key pair. The 
effect of a public key cipher may be achieved by adding type 
information, meaning "encipher only" or "decipher only" to a 
symmetric cipher key in a trusted environment, with the knowledge 
that it can only be removed and acted upon in a trusted 
environment (ref.2). Another possibility is to use an algorithm 
which has an associated public and private key but which 
transforms the text to be signed by some means other than 
e n c i ph e r m ent . Such keys can also be indicated by type 
information in the functions described in section 2. 

3.4 Stored Secure Piles 

The key generation function may be used to generate a key which 
enciphers a file stored locally or whose medium is to be 
physically removed from the computer environment. If a file is 
stored for a long time or is transferred to a separate site it 
will be necessary to re-encipher. Ref.1 points out that a 
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hierarchy of keya is needed in such a case. Refs. 1 and 2 
discuss how this may be achieved securely. The exact method is 
hidden at a lower level and visible in the functions described 
here only in the fact that keys are generated with an explicit 
type which indicates Key Enciphering Key or Data Enciphering Key. 

3-5 Protection of Software Copyright 

Ref.2 points out that type information securely attached to a key 
may be used, given a secure execution environment, to safeguard 
copyright. Software to be protected would be enciphered by the 
key and the key would be supplied to the user enciphered by a KEK 
which was available only inside the secure execution environment. 

When the software was used it would be deciphered as an implicit 
part of the loading operation. This idea anticipates the 
commercial availability of such an execution environment. 
However, when appropriate, a type value could be assigned in the 
functions of section 2. 



4. Relationship to Detailed Key Manipulation Schemes 



This section discusses how the functions described in section 2 
can be implemented using a number of techniques described 
elsewhere. The functions are dealt with in turn. 

4.1 Generate key 

Let us assume we are using one of the key management schemes 
described in ref s . 1 , 2, and 3 . Each of them, when it generates a 
key and makes it available outside the trusted encipherment 
facility protects it by enciphering it. The schemes differ in 
how they do this and in how they ensure that the keys may not be 
misused (for example that a DEK may not be deciphered and made 
available outside the encipherment facility in clear form). They 
differ in the amount of protection they give the keys. The Key 
Notarization Scheme guarantees that a key can only be used 
successfully by the intended users by making the encipherment and 
decipherment of the key a function of the identities of the users 
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for 'whom the key is intended. Since a user must establish his 
identity in a way which satisfies security criteria (for example 
by supplying a password) he cannot successfully use someone 
else's key. The IBM scheme protects the key from exposure and 
ensures that some different types of key cannot be confused. To 
do this different master keys at an instalation are used to 
encipher KEKs , session keys and keys used to encipher files. The 
operating system is relied upon to ensure that the keys are used 
by the intended users. The ICI scheme enciphers a key, together 
with type information indicating how it may be used, by a KEK (in 
some cases by an instalation master key). It can, therefore, 
potentially restrict keys in ways which may be defined and could 
include the equivalent of the Key Notarization scheme. The 
functions supplied in terms of key type therefore overlap and 
where they coincide they are not implemented in the same way. The 
functions described in section 2 may be mapped on to any of the 
three, with the proviso that some of the key types envisaged are 
not present in some cases. 

The local name produced by "generate key" is then in the context 
of ref.1 the form enciphered by KMO, KM1 or KM2 according to its 
type. In the context of ref.2 it is the key and concatenated type 
enciphered by the master key. In the context of ref .3 it is the 
form supplied by the Key Notarisation Facility. 

If a key is to be associated securely with its users as in ref. 3 
then extra associated software is needed if the basic 
encipherment facility does not provide it. Whether it is always 
desirable to tie a generated key immediately to particular users 
is a debatable point. 

4.2 Give key 

Assume that the user to whom the key is to be given is at a site 
which uses a similar system in terms of refs.1, 2 and 3- If ^he 
first site has the necessary KEK it can re-encrypt the generated 
key and send it directly to the second site. There the service 
re-encrypts it for the second user if the key used to protect it 
in transit is not the one which protects it when it is stored 
there. There may, on the other hand be a series of re- 
enoipherments en route because of the need to cross different key 
domains. The user of the "give key" function may remain unaware 
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of this- 

As in ref.4-, a Key Distribution Centre may be used to generate 
the key in a form suitable for transmission to another site. This 
also may be hidden from the user of the "give key" function. 

If the sender and recipient are encipherment services which 
differ in the way they encode keys for protection (as in refs. 1, 
2, and 3) more manipulation is needed to effect the transfer. 
There must be a transformation function, which operates in an 
environment as secure as the one used to encipher the data in the 
first place, which deciphers and re-enciphers, reformatting as 
necessary. This also can be hidden from the user of "give key" , 
although a standard way of formatting keys and their associated 
information is clearly desirable. 

4.3 Mutual key 

In some cases this may be only a shorthand way of writing 
"generate key", followed by "give key". However consider the 
following cases. 

a) When a KDC is used to generate the key it may be necessary 
to tell it the identity of the other partner in the connection so 
that it may encipher it appropriately (see, for example, ref.4). 

b) The generation of the key may need the involvement of the 
encipherment services at both ends of the connection (for 
example when using the Dif f ie/Hellman algorithm (ref. 6). 

For such reasons"mutual key" is needed as a primitive function 
at this level. 

4 • 4 Take key and Destroy key 

If the underlying implementations are those of refs. 1 , 2 or 3 
these functions are barely necessary. If a generated key is 
stored by the encipherment service and a reference to it passed 
back to the user then an explicit destruction of keys is needed. 
"Take key" may also be used to inform the service that a 
particular user is no longer entitled to use a key. 
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5. Relationship to Communication Standards 

We may expect the emerging Open Systems Interconnection standards 
to provide secure services. For example, as already mentioned, 
an enhancement of the transport service is likely to provide 
authentication of users, data privacy and data authentication. 
The two entities which communicate to provide this service must 
establish jointly agreed keys and initialisation variables and 
would make use of functions such as those described in this 
paper. The form of the transmitted key and its accompanying 
information is an obvious candidate for standardisation and would 
avoid the need to transform the key en route, other than to 
change its key encryption key. In seeking a standard form we have 
to consider: 

i) the length of the key, 

ii) the permitted users (if this is to be declared explicitly), 

iii) information about the type of use permitted. 

The methods referred to in this paper do not all allow the same 
restrictions of key use to be described. Moreover, in some 
cases, the restriction is implied in the manner of enciphering 
the key (e.g. the Key Notarization scheme). A standard which 
explicitly stated the users could therefore be considered 
redundant in this case. However, if the basic key manipulation 
method does not involve the user's identity (as in ref.1 and in 
ref.2 in its simplest form) the addition gives added security. 

The basic encipherment algorithm affects both the length of the 
key and the type information which is relevant. For example, an 
indication of "encipherment" or "decipherment" is irrelevant to 
an RSA key. 

Ref. 2 has suggested that the "parity" bits in the DES key could 
be used to indicate typing information. This may be unacceptable 
as an international standard. The typing information must then 
be held separately from the 64 bit key variable. 
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Bearing these points in mind the following is a tentative 
suggestion for a standard form for a key and associated 
information. First, the clear form. It has the format: 



key length, key, key type, users 



where "key length" is an integer which gives the length of the 
following key; 



where "key" is the key as a binary string; 



where "key type" is a binary string whose hits have the following 
significance : 



1st hit DEK or KEK, 

2nd bit enciphering key or not, 

3rd bit deciphering key or not, 

4th bit software protection key or not, 

5th bit key usable by any process or only by one 

authorised to check access rights, 



(meanings for other bits are likely to prove useful); 

and where "users" consists of either one or two alphanumeric 
strings which identify the permitted user or users. 



If such a composite item is to be transmitted over an insecure 
telecommunication line it must be enciphered. The form this 
takes depends upon the enciphering method. Using a 64 bit block 
cipher, for example, one must use some method of ensuring that 
the separate blocks which form the item cannot be changed 
unnoticed. One might, for example, form an enciphered sum check 
of the whole item and send it with it. A method which enciphered 
a block as long as the composite item could dispense with this. 
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6 . Conclusions 

This paper has discussed a number of issues related to the 
standardisation of the interface to an enciphering service at a 
particular level. 

Several ways of providing basic key manipulation features have 
been considered. It -would be logically possible to evolve a 
standard way which made use of the best features of those 
considered. This would make standardisation of the form of the 
key and associated information easier. 

An enciphering service may or may not make use of a separate Key 
Distribution Centre, depending on the number of communicating 
locations and the complexity possible in each. This design option 
is likely to survive. The functions suggested here deliberately 
hide this choice, taking the view that it is a part of the 
service implementation which the user should be able to ignore. 

When a key is sent to a remote user it may need to be transformed 
because a different way of protecting it is needed. It may need 
to be enciphered by the remote user's location master key. 
During its journey it may need to be enciphered by a KEK used 
only for transportation. It may need to be re-enciphered by 
several such keys in the course of its journey. Such 
transformations should be hidden from the user at as low a level 
as possible so that logic can be written irrespective of the 
context created by the way the network of users is organised. 

New methods of enciphering are likely to be developed. We should 
attempt to protect users from the need to know the underlying 
changes they bring. This is, of course, an aim which cannot 
necessarily be fulfilled. At the level chosen for the functions 
of this paper we reveal the essential difference between 
symmetric and asymmetric ciphers. New methods may bring their 
own characteristics which should not be hidden. 

New applications of encipherment and related techniques are 
likely. Two mentioned here are digital signatures which do not 
use encipherment of a form which can be used for data privacy and 
a new key type dedicated to controlling resource use. 
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For' such reasons the subject is one which will continue to 
develop and the points made in this paper are offered as part of 
the discussion needed to find functions and techniques which may 
develop as our knowledge of the subject grows. 



References 

1. Ehrsam W.P., Hatyas S.M., Meyer CD. and Tuchman V.L. : "A 
cryptographic key management scheme for implementing the data 
encryption standard." IBM Systems Journal, vol.17, no. 2. 

2. Jones R.W. : "Some techniques for handling encipherment 
keys." ICL Technical Journal, vol.3, no. 2. 

3- Smid M.E. : "A key notarization system for computer networks. 
"NBS Special Publication 500-54, US Dept. of Commerce. 

4- . Price W.L. & Davies D.W. : "Issues in the design of a key 
distribution centre." NPL Report DNACS 43/81, National Physical 
Laboratory, Teddington, Middlesex, UK 

5- Rivest R.L., Shamir A and Addleman L. "A method of obtaining 
digital signatures and public key cryptosystems . " Communications 
of the ACM, February 1978. 

6. Diffie W and Hellman M.E. "New directions in Cryptography." 
IEEE Transactions on Information Theory, vol.IT-22, no. 6. 

7. Needham R.M. & Schroeder M.D. "Using encryption for 
authentication in large networks of computers." Communications 
of the ACM, December 1978. 

8. International standard ISO/IS 7498. Information processing 
systems -Open systems interconnection - Basic reference model. 

9. Draft International Standard ISO/DIS 8073. Information 
processing systems -Open systems interconnection - Connection 
oriented transport protocol specification. 



AN OPTIMAL CLASS OF SYMMETRIC KEY 
GENERATION SYSTEMS 



Rolf Blom 
Ericsson Radio Systems AB 
S-163 80 Stockholm, Sweden 

Abstract. 

It is sometimes required that user pairs in a network share secret information to be used for 
mutual identification or as a key in a cipher system. If the network is large it becomes 
impractical or even impossible to store all keys securely at the users. A natural solution then 
is to supply each user with a relatively small amount of secret data from which he can derive 
all his keys. A scheme for this purpose will be presented and we call such a scheme a 
symmetric key generation system (SKGS). However, as all keys will be generated from a 
small amount of data, dependencies between keys will exist. Therefore by cooperation, users 
in the system might be able to decrease their uncertainty about keys they should not have 
access to. 

The objective of this paper is to present a class of SKGS for which the amount of secret 
information needed by each user to generate his keys is the least possible while at the same 
time a certain minimum number of users have to cooperate to resolve the uncertainty of 
unknown keys. 
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Introduction 

We picture an application in which messages in a network are protected by a symmetric 
cipher. Each user pair should have a unique key which enables them to encipher messages to 
be exchanged and thereby get protection against information disclosure to other users and 
possible wiretappers. The keys shared between users are distributed at start up time by what 
we will call a key generation authority. The keys could be seen as master keys used to 
generate session keys. 

A network with n users implies that each user must have access to n-1 keys. Now, if n is 
large it becomes impractical or even impossible to store all keys securely. A natural solution 
would then be to supply each user with a relatively small amount of secret data from which 
he can derive all his keys. A scheme for this purpose will be called a symmetric key 
generation system (SKGS). However, if all keys are generated from a small amount of data 
attention must be payed to the fact that dependencies between keys will exist. These 
dependencies will be such that a group of cooperating users might be able to decrease their 
uncertainty about keys they should not know about. 

In this paper we will present a class of SKGS for which the amount of secret data, needed by 
each user, is as small as possible while at the same time a certain minimum number k of users 
have to cooperate to determine keys which are used by other user pairs. The presentation 
will be made without proofs. For a more detailed analysis and proofs the interested reader is 
refered to (1). 

Preliminaries. 

Let G denote the generator matrix of a (n,k) linear code over GF(q). Here n denotes the 
length of the codewords and k is the dimension of the code, i.e. G is a kxn matrix with 
elements in FG(q), q a prime power. The number of codewords is q and the set of codewords 
consists of all linear combinations of the rows of G. If d^GF(q)' < denotes a vector of k 
information symbols, they will be encoded into c=dG. 

A MDS code is usually defined by the condition that the minimum distance of the code is n- 
k+1. This condition can be shown to be equivalent with the condition that every k columns in 
G are linearly independent. For a general introduction to MDS codes see (2). From the 
property that every set of k columns in the generator matrix of a MDS code is independent it 
follows that a codeword is uniquely determined by any k elements in the codeword. It also 
follows that knowledge of less than k elements of a codeword reveals no information about 
another element. 
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MDS codes exist when n<q+2. In the application we consider, q should be much larger than n, 
so suitable codes will always exist. 

A class of 5KGS based on MDS codes. 

Let the users in the system be numbered consequtivly from 1 to n. Also assume that at least 
k users shall have to cooperate to get any information about a key they should not have 
access to. We also assume that the keys should be in GF(q). 

The construction of the SKGS starts with selecting a (n,k) MDS code over GF(q) with 
generator matrix G. This G will be known by all users in the network. Then the key 
generating authority draws a random symmetric matrix D, also with elements in GF(q). The 
keys to be used by the user pairs are then given by 

K = (DG) T G. 

User pair (i, j) will use (K). . i.e. the element in row i and column j in K. Obviously K is 
symmetric and hence (K). . = (K). .. Then if user i knows row i of K and user j knows row j of 

hi Jjl 

K, they have a common key. 

The i:th row in K is given by the i:th row in (DG)^ and G. But G is assumed publicly known so 
the only data that the key generation authority has to distribute to user i is the i:th row of 
(DG) T . 

(DG)^ is a nxk matrix which means that each row consists of k elements in GF(q). Thus the 
required secret store at each user is kxlb(q) bits. This is really the least possible value for a 
SKGS with the assumed parameters (see (1)). 

At last we will give a simple explanation of why at least k users have to cooperate to get any 
information about keys they do not have. Assume m < k users cooperate. Then they know m 
rows of K. But K is symmetric and then they also know m columns. This means that they 
know m elements in each row of K for all other users. They do not know any other elements 
in these rows. Now observe that each row in K is a codeword in the code generated by G. 
Then from what was stated in the Preliminaries, knowledge of less than k elements in a 
codeword does not reveal any information about any other element in the codeword. So if 
less than k users cooperate they get no information about an unknown key. However, if k or 
more users cooperate they know all of K, because knowledge of k elements in a codeword 
uniquely determines the codeword. 
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Implementation aspects. 

From a theoretical point of view it is a straightforward task to implement a SKGS based on 
MDS codes. All that is needed is a generator matrix and computational capability for matrix 
multiplication. However, rather much storage space is required to store a general generator 
matrix. To decrease this amount of storage space one could use a punctured Reed-Solomon 
code because the elements in the generator matrix are given by a simple expresseion, viz. 

(G). 

where tc is a primitive element in GF(q). Then if c = dG the j:th element in c will be given by 

This technique is easily applied on the class of SKGS described in the previous section and it 
shows that a simple and practical implementation exists. 
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1. Introduction. 

In this paper a novel cryptosystem will be discussed that is based on a special two-way 
communication channel, i.e. the binary multiplying channel (BMC). New in this system is 
that the task of protecting the messages is mainly one for the receiver. This in contrast 
with the classic cryptosystems where the transmitter has this task. The receiver in a 
classic cryptosystem must know the key used by the transmitter in order to be able to 
invert the encryption mapping. The fact that keys must be shared causes great practical 
problems since practical classic cryptosystems require large keys [1],[3],[4]. One of the 
reasons for using large keys is the fact that the encrypted message is publicly known [1l 

When a BMC is used in a communication system it will be possible to realize the 
protection of the messages in a simpler way. In Section 2 the problem of the construction 
of communication strategies for the BMC will be discussed without considering the security 
aspects. Though recently there has been much progress in solving this problem [7],[8], the 
actual construction of communication strategies far the BMC requires some ad-hoc 
solutions. In Section 3 the special aspects of security are discussed when the BMC is used 
in a communication network. Furthermore a communication strategy is presented that 
provides a good protection of the messages sent via a network. In the last section an 
application of the new system is discussed. 



2. Coding strategies for the BMC. 

Consider the communication situation given in Fig. 1a. Two messages m^ and rT^ are to 
be transmitted over the binary multiplying channel. The BMC is a deterministic two-way 
channel with two binary inputs x 1 and x 2 and a binary output yrx^etf),'!}, x^O,"!}, i=1,2. 
A simple realization of the BMC is given in Fig. 1b. 



aj b) 




Fig. 1 The BMC in a two user communication network and 
a wired-and realization of the BMC. 

To meet our later requirements and in order to keep the codes quite simple we assume 
that 

a) the messages m., i=1,2 are taken from a finite set 
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of messages M={0,1,...,m-1 } , and that 

b) the encoders and decoders are pairwise identical. 
Furthermore we assume that 

c) the messages and m 2 are uniform and independently distributed. 

Consider the situation where each terminal has chosen a message; say terminal 1 has 
chosen m^ and terminal 2 has chosen rr^. The terminals start to communicate via the BMC 
in order to determine the messages chosen by their opponents. For that purpose they both 
use a set of rules. All these rules together make the encoder and the decoder. In the 
sequel the encoding rules will be called a coding strategy. If the reconstructed message 
m.=m. for all sended messages m., then one calls the coding strategy complete. A complete 
coding strategy satisfying a) and b) is refered to as a symmetric discrete complete coding 
strategy; a SDC-strategy for short. If a coding strategy also optimizes the average 
transmission rates and then the coding strategy is called optimal as well. Here is 
R 12 :=n" 1 I(M 1 ;Y|M 2 ) and R 21 :=n" 1 I(M 2 ;YI M^, i.e. the normalized average mutual information 
between m^ and y when m 2 is known and the normalized average mutual information 
between m 2 and y when m^ is known, respectively; n is the average number of 
transmissions. The general problem of determining the region of rate pairs (R^ 2 ,R 2 ^) where 
reliable communication is possible, i.e. the capacity region, C(BMC), of the BMC has been 
studied for more then two decades [2]. Recently it has been shown by Schalkwijk [6] that 
the achievable rate region as discussed in [7] is indeed C(BMC). His coding scheme is 
however not constructive and therefore some coding strategies will be discussed in this 
section. Note that in the case of a SDC-strategy one has ^■j2 = ^21' 

Based upon ideas given in [5] there exists a convenient method for representing the 
coding strategies. Let (m^,m 2 )£ MxM, the cartesian product of the message sets, and let us 
further associate a unit-square with each message pair (m^nr^). Then one can imagine 
regions, clusters of unit-squares, in a mxm square of possible message pairs in which the 
actual message pair has to lie. The coding strategy is used in successive transmissions to 
partition these regions into smaller sub-regions until at both sides of the channel the 
position of the message pair in the mxm square is unambiguously known. 

For example, consider the case M={ 0,1,2,3}. The channel input x. for the first 
transmission is taken 1 if m.=0,1 or 2 and 0 if m.=3, i=1,2, see Fig. 2a. The result of the 
first transmission will be y^=1 if x^=x 2 =1 and y^=0 otherwise, Fig. 2b. Note that one has 
obtained two regions. One characterized by y ^ =1 and one characterized by y^=0. Suppose 
that y^=1 has been received. The fact that both terminals know that y^=1 is used in the 
second transmission. The channel inputs for the second transmission are taken 1 if m.=Q,1 
and 0 if m.=2. If y 2 =0 is received then one knows that (m 1 ,m 2 )e{(2,0),(2,1),(2,2),(1,2),(0,2) }. 
Since the correct message pair cannot be determined at this stage of the transmission 
session one continues by sending a 1 if m.=1,2 and 0 if m.=0. Suppose one has received 
y 3 =0, then one has (m^,m 2 )e{(2,0),(0,2)}. Now it is possible for the terminals to remove the 
remaining ambiguity by taking their own messages into account. Hence the transmission 
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session is finished. Fig. 2c gives a complete coding strategy for the 4x4 square. 
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Fig. 2 A coding strategy for the 4x4 square. 

The transmission rates and are easily calculated by exploiting condition c). If 

w(m^=i,m2=j) denotes the number of transmissions required to determine the message pair 
(i,j) in the mxm square and w is the average of w over all message pairs then 
R^2 = ^21 = '~'^1^ w= '^^'' k' ts P er transm ' ss i on - Here is H(M^) the average binary entropy of 
the messages m^. Note that R^ 2 =f *21 D ' ts / tr > hence the rate pair ^-]2'^21^ *' SS outside 
the time-sharing region !. Larger instances of m have been studied by Post and Ligtenberg 
[8]. They looked for methods to construct high rate coding strategies. 

Some comments should be made concearning the message pairs and the corresponding 
y-sequence entries in the mxm square, Fig. 2c. Let S(y) denote the number of message 
pairs that have jr_ as the y-sequence entry in the mxm square. Then the following holds for 
all SDC-strategies. 

Proposition 1 If y_ is a y-sequence entry corresponding with (m^nr^), 
then S(y_)=1 <=> m^nr^. 

From the above follows instantaneously. 

Corollary There are m different message pairs for which S(^)=1. 
The proof is given in the appendix. 



3. The BMC and private communication. 

In this section a communication network is considered that uses a BMC. Recalling the 
realization in Fig. 1b it is clear that the channel outputs y are public in a communication 
system in which several terminals are connected; see Fig. 3. In such a system 
communication is considered to take place between two terminals at the same time while 
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the other terminals cannot interrupt. 




Fig. 3 A communication system with a BMC. 

Like in other communication systems is jamming a severe threat to our system. 
However, here we will only consider a wire tapping attack of an "unfriendly" terminal. 
Therefore we will look at how much information the wire tapper gets by looking at the 
channel signals y. The worst that can happen is that during a message transfer one 
terminal is always a receiver since there is no real difference between the legal receiver 
and the wire-tapper. Assume for the time being that messages are only sent from one 
terminal to another. Without loss of generality we may assume that terminal 1 sends to 
terminal 2. Communication is totally insecure in the system. In order to disturbe the 
channel signals terminal 2 starts to transmit randomly chosen messages. From Section 2 it 
is clear that the wire tapper knows immediately the correct (message,noise message) pair if 
the noise message was equal to the message m^ at terminal 1. Is however the noise 
message m^m^ then S(y)>1, where _y_ is the y-sequence produced by (m^ir^). These 
observations are now to be analysed under the conditions a) and b) in Section 2. 

Let p.. denote the probability that message j is chosen at terminal i, i=1,2. Assume that 
p. ( j>Q for all j=0,1,...,m-1, i=1,2,and let m^ and rr^ be independently chosen from the 
message set M. Using proposition 1 of the previous section we obtain the average 
probability of correct interception, Pj nt> by the wire tapper: 

m-1 m-1 
P inf = Ipr(x)= Z pr(m =i ,m,=i )= Z p-.p,.. 
int S(_y)=1 i=0 1 1 i=0 1 1 l[ 

It can be shown that 

Proposition 2 If the messages are chosen independently from the set M and none of the 
messages has probability zero, then the receiver can make the probability of interception 
P. t < 1/m for all SDC-strategies for the BMC, (see appendix). 

At this point one could stop and use the coding strategies of the type discussed in 
Section 2. However, note that if S(y)>1 then the message pair (rn^rrij) is not unambiguously 
determined by y_ , hence H(M. )>Q. Therefore coding strategies that obtain higher values 
far S(y) then those of the previous type are of interest. In Fig. 4 such a coding strategy is 
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given for the 4x4 square. The transmission rate of this coding strategy is les3 (.57 
bits/transm.) than of the one shown in Fig. 2c. However, the new coding strategy has a 
y-sequence for which S(y)=4. 
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Fig. 4 An alternative coding strategy for the 4x4 square 

For both the coding strategies, Fig. 2c and Fig. 4c, the average conditional entropies 
H(M^ | y^ ,...,y^ have been calculated. Here denotes y^,...^ the first k y-signals obtained by 
using a given strategy. In Fig. 5 these calculations are summarized. One sees that the 
coding strategy of Fig. 4c is better from a security point of view. 




Fig. 5 The average conditional entropies H(M^ | y^,...^) 
of the coding strategies of Fig. 4c and Fig. 2c. 

The coding strategy given here can be regarded a3 a generalization of a code given by 
Hagelbarger [21 From the successive squares shown in Fig. 4 it is not difficult to see how 
one should proceed to construct structural equivalent coding strategies in cases where 
m=2 n ,n=1,2,3,.... 



345 



4. Practical considerations. 

In many practical situations the number of correct intercepted messages will be too high. 
Especially, this will be the case if the source statistics are such that there is a high 
probability of having S(y_)=1. In such a case one should try to obtain a more uniform 
probability distribution of the message pairs. If condition c) is satisfied one needs only to 
take a large value of m to lower Pj nt > If this is not satisfactory one could think of using 
one of the following solutions to the problem. First one could still use some classic 
cryptosystem to encrypt the messages. This cryptosystem could be quite rudimentary since 
most of the encrypted messages cannot be correctly intercepted. For the same reason the 
use of source encoding would be a solution too. A different type of solution would be the 
use of a randomly determined permutation. Suppose the two communicating terminals will 
not start with communicating their messages but they will send randomly generated 
messages first. If at a certain moment enough, say N, noise pairs are generated for which 
S(y)>1 (or maximal), then these noise pairs determine a permutation of the messages. If the 
probabilities pr(m^=i,m2=i) are the same for all values of i£M, it will be difficult for a 
wire-tapper to reconstruct this permutation. 

Besides the listen-only attack and the problem of jamming, there are some other severe 
attacks on a network such as the one given in Fig. 3. If an attacker splits the network 
into two groups he will be able to monitor all communications between the groups. 
Furthermore if two attackers work closely together they can in principle tap the "wire" by 
comparing the timing of the signal patterns at different points. Therefore the channel itself 
must be well protected to provide security. 

5. Conclusions. 

The binary multiplying channel has interesting properties for use in a private 
communication system. First, one can send with a total average transmission rate which is 
larger than 1 bit per channel use. Furthermore, in a communication system that uses a 
BMC the protection of the messages can be realized by the receiver. Therefore there is no 
need to use keys when protecting the messages. However, keys might be used to solve the 
problem of determining the authenticity of the user. 

A "wired-and" realisation of the BMC gives the opportunity to construct a small 
communication network that is well protected against tapping. In general, the security of a 
communication network that uses a BMC requires saveguarding of the channel itself against 
attacks. 
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Appendix. 

Consider a SDC-strategy for the coding of a mxm square. The condition that the 

strategy is complete is here reformulated as having H(M. ; y_ |mj)=0, i,j=1,2, i4=j, for all 
possible y-sequence entries in a completed square. 

Let y^m^rn^ denote the y-sequence y^,...^ produced by the message pair 
(m^m^) EM up to the k-th transmission. Furthermore denotes y c (m^,m 2 ) the y-sequence 
obtained by using (m^mj) when the communication is completed. Let E(m.j,y k (nn,j,m 2 )) 
denote the encoding of message after receiving y^Cm^m^). 

Lemma 1 Let m^m^m^m^ £ M. Assume that y c (m.|,m 2 )=y c (mj,m£) and x,, ^>—> x 2 c are 
the inputs produced by encoder 2 using (m^rr^) and y—,*^ c those by using (m^,m^). If 
x 2 i = *2 i for '=V">c, then y ( m -]> m 4)= y (m 1 ,m 2 ). 

1 1 

Proof: Let (m^,m^) be the transmitted message. Obviously y (m^,m^)=y (m^m^) since the 
first input letters depend only on the m's. So let y k (m 1 ,m 4 )=y k (m 1 ,m 2 ) for all k<N+Kc. 
First observe that the encoder 1 output equals N+1 =E(m 1 ,y N (m 1 jm^Etm^ ,y N (m 1 ^j)). 
The encoder 2 output can be calculated as x„ N+ ^=E(m^,y N (m^,m 4 ))=E(m^,y^,...,y IS |)= 
= E ( m 4>y ( m 3> m 4M=>«'2 >N+1 =E(m 2 ,y (m 1 ,m 2 )). Thus y + (m^m^y +1 (m 1 ,m 2 ).// 

Let (i,j)£M 2 and define Reg k (i,j):= { (m m 9 ) £ M 2 | y k (m 1 ,m„)=y k (i,j) } for all k£N for 

k 0 2 

which y (i,j) is defined. Reg (i,j) is equal to MxM for all (i,j) £ M . 

Lemma 2 (m,m) € Reg c (m,n) with m+n is impossible. 

Proof: Let (m,m) £ Reg c (m,n) with m#n. Then y°(m,m) =y°(n,m)=y c (m,n)= ^ . This implies 
however that H(M 1 ; vj m 2 =m)>0 which contradicts with the completeness of the strategy.// 

Lemma 3 y c (m 1 ,m 1 )=y c (m 2 ,m 2 ) => m 1 =m 2 for all m^rr^e M. 

Proof: Let y c (m 1 ,m 1 )=y°(m 2 ,m 2 ) and let also m^nr^. If y c (m 1 ,m 1 )=y C (m 2 ,m 2 ) then the 
inputs are the same at both sides of the channel. So by Lemma 1 we now have 
y°(m 1 ,m 2 )=y c (m 1 ,m^) € Reg c (m^,m^) which is impossible by Lemma 2.11 

Lemma 4 Let n^m^n^eM, is (m,m)±(m 1 ,m 2 ) then y°(m 1 ,m 2 )iy c (m,m). 

Proof: let y c (m 1 ,m 2 )=y c (m,m) and (m,mH(m 1 ,m 2 ). If m^n^ then by Lemma 3 m^m^m. 

So let m 4m„ and because of Lemma 2 also m.*m, i=1,2. Obviously we have 

0 ^ 

(m 1 ,m 2 ),(m 2 ,m 1 ),(m,m 2 ),(m 2 ,m) £ Reg (m,m). Let k be an integer and (m 1 ,m 2 ),(m 2 ,m l ), 
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(m,m,),(m 2 ,m)£ Reg k (m,m) for all k<N+Kc. If y N+1 (m,m)=y N+l (m. ] ,m 2 )=1 then 
E(m,y (m,m))=1 and E(m 2 ,y N (m,m 2 ))=1 . Thus the y N+1 "th channel output using (m,m 2 ) is 
y N+1 (m,m 2 )=y N+1 (m 2 ,m)=1. Is y N+1 (m,m)=y N+1 (m r m 2 )=0 then E(m,y N (m,m))= 
=E(m,y N (m,m 2 ))=0 v y N+1 (m,m 2 )=y N+1 (m 2 ,m)=0. Therefore we have (m 1 ,m 2 ),(m 2 ,m 1 ),(rn,rn 2 ), 
(m 2 ,m) € Reg N+1 (rn,m). This all ultimately leads to (m 1 ,m 2 ),(rn 2 ,m. 1 ),(m,m 2 ),(m 2 ,m)€ 
Reg c (m,m). In particular we have (m,m) eReg c (m,m 2 ) which is impossible by lemma Z.I I 

Proof of proposition 1 

(=» Let j£ =y c (m 1 ,m 2 ) such that S(y_)=1. If m^nr^ then via y c (m 1 ,m 2 )=y c (m 2 ,m 1 ) we have 
(m 1 ,m 2 )»(m 1 ,m 2 ) eReg^m^m^ v S(y_)>1. So m^rr^. 

(<=) Now let m 1= m 2 =m. Suppose S(y)>1. Then by Lemma 3 there exists a message pair 
(k,l)=(m,m), k}l, for which y c (k,l)= y_ • Tnis however contradicts with Lemma 4.// 

1-1 + 

Define for n=2,3,4,5 the functions F n as F^ag,...^^) =a Q ~ +...+a n _ 1 with a. eR . 

Lemma 5 F is convex over R +n . 
n 

Proof: Let a_ =a Q ,...,a n 1 and b_ =b Q ,...,b n1 with a^bj £ R + , then for x£(0,1) one has 

xF (a)+d-x)F (b)-F (xa+(l-x)b) =x(1-x) I. [a.-b.] 2 [a.b.(xa.+(l-x)b.r 1 > 0.// 
n— n— n — — 1 1 1 1 1 1 1 — 

Proof of proposition 2 

Let the receiver be terminal 2. Assume that the messages have a distribution such that 

p-.p. .=constant(>0). The channel outputs can be used to set the p 9i 's such that this is true. 

'J 'J _1 1 > 

By straightforward calculations we get p int = m ( Z j P-jj ) • Naw is P i nt maximal when 

Z jP^j"^ ' s minimal. Observe that the latter summation is in fact F^P-] gviP^ ,m-1^' 

Observe also that by Lemma 5 F m is convex and I •P 1 =1. Maximizing -F" m +1 £ jP-j y with 1 

a Lagrange multiplier, gives a minimum for F at p. -=l/m, j=0,...,m-1. 

2 -1 
Hence min F (p. ,p„ „)=m v max P. =m .// 
m r 1,0' 'H,m-1 int 

P 1j P 1j 
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Abstract 

In recent years, much e-ffort has gone into the development of high 
bandwidth communication networks -for use over relatively short (local) 
distances, e.g. an o-f -f ice, an industrial complex, a research laboratory, 
etc.. The high bandwidth o-f these networks allows many o-f the services now 
requiring separate networks such as -Facsimile, digitized voice, -file 
trans-fer and interactive terminal data, to be integrated into a common 
transmission -facility. Manufacturers are currently developing products 
which con-form to the recently established IEEE 802 standard for Local Area 
Networks (LANs). This standard is based on the concept o-f a layered, "peer 
entity" communication protocol put -forth in the International Standards 
Organization's (ISO) seven layer model -for Open Systems Interconnection 
(OSI) . 

In this paper we de-fine the notions o-f secrecy and privacy as they 
relate to a LAN environment and the various services a network is required 
to provide such as data integrity, authentication and digital signature 
services. We also describe the cost-bene-f it tradeo-f-f involved in attain- 
ing various levels o-f privacy and secrecy. 
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l^l^ Introduction 

This paper will be presented in two parts; the -first part is a 
general description of the secrecy and privacy requirements in a local 
area network environment. In the second part o-f the paper we present 
some observations and proposed methods -for integrating secrecy and 
privacy into established network protocols. 

In the past -few years, much research and development has been 
concentrated in the area o-f local communication networks. In general, 
local area communication networks (LANs) provide a multiple access environ- 
ment over a relatively small geographical area such as a room, building 
or group o-f buildings with maximum network lengths of a few kilometers. 
An introduction to local area networks and there applications can be found 
in C13. The main characteristics of a LAN can be summarized as follows: 

1. Topology - ring, bus or star are the most popular config- 
urations (see Fig. 1) 

2. Transmission medium and technology - there are two popu- 
lar methods 

coaxial cable - baseband or RF modulated 
transmissions 

fibre optic 

3. Media Access Protocol- there are two broad classes of 
media access protocols - contention (random access) 
protocols and non-contention protocols 

4. Communication protocols and type of services provided by 
the network (i.e. unacknowledged connectionless services, 
connection oriented services 1 ). 

LANs are finding increasing applications in research, industrial 
and office environments where the trend is towards the integration of 
many services such as digitized voice, interactive terminal data, facsi- 
mile transfer, file transfer and electronic mail into a single common 
communications facility linking all users. A characteristic which is 
common to all LANs is the ability to establish a connection between any 
pair of users (transceivers). This is usually accomplished by broadcast 
techniques where the message is transmitted on the network along with 
source and destination information in such a way that all of the trans- 
actions on the network can be heard by every network transceiver. In 
addition to the study of various applications, work is proceeding on the 
development of communications protocols far LANs. 



i i 2_The_0gen_System_Inter connection 

The International Organization for Standardization (ISO) has 
proposed a model for communication protocols in networks called the 
Open Systems Interconnection (OSI) model and is currently being used as a 
basis for the IEEE Project 802 standard for LANs C33. The OSI model, shown 
in Fig. 2, defines seven layers of complementing protocols where communi- 
cation is defined as taking place between equivalent or p_eer entities at 
each user site. To facilitate this, the upper layers are built on the 
services of the lower layers (as well as adding value to the services) 
in such a manner as to isolate the user from the physical operation of the 
network. The n-layer services of a layer are the capabilities it offers 
to n-layer users. Thus, at the higher layers, the user is not aware of, 
or concerned with, the operation of the network as this becomes trans- 
parent. A summary of the OSI model can be found in C23. 



1 These terms are consistent with Type I and Type II Logical Link 
Control (LLC) services of IEEE 802.2. 
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ii.3_IEEE_Project_802 

The IEEE 802 standard is actually a family of standards 802.1 
through 802.6 which deal with the physical and data link layers o-f the OS I 
model. Fig. 3 shows the relationship between the IEEE Project 802 stand- 
ard and the ISO model. 

Standard 802.1 is used to describe the relationship between these 
standards and the 0SI model. Due to the diversity o-f media-access methods 
and transmission technology (as was described previously), a number o-f 
standards were required to cover the physical and data link layers. In 
the 802 standard, the data link layer is split into two sublayers, a 
common Logical Link Control sublayer (LLC) and a Media Access Control 
(MAC) sublayer which is contoured to the requirements of the various types 
of LANs i.e.: 

802.3 standard for CSMA/CD bus networks 

802.4 standard for token-passing bus networks 

802.5 standard for token-passing ring networks 

802.6 standard for metropolitan area networks (MANs) . 

This structure allows a common interface at the LLC sublayer and informa- 
tion (Protocol Data Units) passing into and out of the LLC from above 
(Network Layer) or from below (MAC sublayer), are standardized. 

A detailed description of these standards is beyond the scope of 
this report (see C43-C63) but we will describe a few of the basic princi- 
ples. As mentioned previously, all layers are built on the services they 
provide or use. The general format of messages to/from the various layers 
is shown in Fig. 4. 

Messages may be of three generic types: 

i) Request - a primitive for requesting n-layer services from a 
n-layer user 

ii ) Indication - a primitive used to indicate to a n-layer user of 
an internal n-layer event which may be significant (e.g. a remote 
service request) 

iii) Confirm — a primitive which conveys to a n— layer user the 
results of a previous request for n-layer service 

All communication and information passing is performed using this type of 
hierarchical structure. 

The LLC layer supplies two types of message exchange services: 
i)Type I, Unacknowledged Connectionless Service and i i ) Type II, Connection 
Oriented Service. In Unacknowledged Connectionless service, network layer 
entities exchange Link Service Data Units (LSDUs) without establishing a 
data link level connection. In Connection Oriented service, LLC provides 
the means for establishing, using, resetting and terminating data link 
layer connections along with data link layer sequencing, flow control and 
error recovery procedures. Thus, the message transfer services can be 
loosely coupled ("datagram") or tightly coupled ("virtual circuit") type 
connections. 



l_ i 4_The_Probl_em 

The increased use of digital communications for business transac- 
tions also increases the need for secrecy and privacy. Unfortunately, 
the two requirements are sometimes contradictory. On one hand, we 
require access to a wide variety of services yet, we may wish to keep the 
information exchanged secret. The various types bf traffic on the 
network will have different characteristics and requirements such as 
delay, buffer space and priority. In addition, different types of 
traffic will have different security requirements. For instance, in an 
industrial environment, top level memos may require complete secrecy. 
In the banking environment, more emphasis is placed on the authentica- 
tion of a transaction than on its secrecy. In the most basic time- 
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sharing systems, the operating system must ensure only legitimate users 
are allowed access. Far digitized voice, most people are content with the 
level o-f privacy provided by an unencoded analog telephone connection; 
their only real concern is that a conversation does not allow "party-line" 
interception, that is, no casual listener can overhear their conversa- 
tion, thus, the normal level o-f privacy for voice is minimal. Data bases 
tend to be available to all users but clearly, steps must be taken 
to prevent unauthorized additions or deletions. If we consider the con- 
cept o-f an electronic mail service, one would envisage a central mail 
server which would act as a temporary depository for messages which could 
not be immediately delivered. This type of service presents a difficult 
problem in that messages must be authenticated when they are placed in the 
service, they must be protected from unauthorized disclosure, addition, 
modification and deletion while in the mail server and they must be de- 
livered in a manner which will preserve the privacy of the message (this 
tends to be a more complex problem than a secure database system). 

Our objective in this paper is to outline some possible methods by 
which secrecy, privacy, and authentication techniques can be incorporated 
into a hierarchically structured network using already established proto- 
cols as a base. An example of the type of network where these methods may 
be applied is the Waterloo Experimental Local NETwork (WELNET) which is 
classified as a non-contention broadcast network which conforms to the 
IEEE 802.2 standard for Logical Link Control (LLC) (see C73) . 

In the IEEE 802 standard and OSI model a (N-l) layer may supply 
services to more than one N layer entity. The (N-l) layer and N layer 
communicate through Service Access Points (SAPs) which are addressable 
points in each layer. When a message is generated, the source N layer 
entity and destination N layer entity addresses are appended to the mess- 
age. This is then passed to the (N-l) layer. At this layer, the corres- 
ponding source/destination addresses for the (N-l) entitles are also 
appended. Upon reception, the address information is stripped away as the 
message is passed up through the layers to its destination. The address- 
ing is thus structured so that each layer only requires the part of the 
address which allows that layer to pass the message to the appropriate 
SAP. In Fig. 5, we show the message format adopted for WELNET as it 
passes from the Network layer, LLC and the MAC sublayers. 



li5_£!S5§iiiE*£i2Q_2f_Ih r .§its_in_a_Netwgrk 

We now define a few of the terms which will be used throughout this 
study t A LAN is classified as an open broadcast network in which we 
assume messages may be received by both the intended recipient and unauth- 
orized listeners. This will, in general, be the case unless the 
entire network, including the transmission media and all access 
points, are made physically secure. In most cases this is impractical. 

The points where attacks can be made in the network are shown in 
Fig. 6. Here the network consists of the transmission medium, a 
network interface (transceiver) and the user equipment (terminal, host, 
etc. ) . 

l, i 5 i l i _Low_Level__Threats 

The types of threats present in a LAN environment can be broken 
down into a number of categories. The simplest form of attack is that 
of the passive listener (eavesdropper). In Fig. 6, we show the points 
in the network where the wiretapper may position the listening 
(recording) device. The position of the tap determines the complexity 
of the device, the amount of information available and the security 
procedures the wiretapper must overcome to gain the information. If a 
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tap it placed on the transmission medium, the listener can intercept mess- 
ages intended -for any user on the network since messages contain 
source/destination addressing plus virtual circuit and sequencing informa- 
tion (the joh is much easier than that o-f intercepting telephone informa- 
tion since all signals and information required to separate them are 
carried on one transmission medium). If the tap is placed at the 
terminal connection, only information for a specific user is available, 
but, the wiretap device can be relatively simple and this method has 
the added advantage of defeating any security procedures installed in the 
network itself. The problem also changes with the type of LAN involved. 
Consider a LAN which uses a broadcast bus structure, this system has the 
property that it is very easy for a passive wiretapper to obtain informa- 
tion from the bus without detection, but it is very difficult for an 
active wiretapper to impersonate another transceiver without detection 
(assuming the operating system of the transceivers will check to determine 
if the header address is correct). This property is not true in a ring 
network where one can easily conceive of using two transceivers to 
surround a legitimate transceiver and originate, alter or delete messages 
(although how one taps into the loop without detection is not clear). 

The transmission medium also plays a role in the difficulty facing 
an attacker. Coaxial cable is easy to tap and this can be done without 
interruption of service. Passive listening can be performed with a direct 
connection or by inductive means. An answer to this problem is the use of 
fibre optics but fibre optics do not lend themselves to bus architectures. 

In consideration of fibre optics as the transmission medium, one 
also observes that they are not prone to wiretap by inductive pickup or 
electromagnetic emission. To tap the fibre, some portion of the signal 
must be diverted which, by current techniques results in detectable atten- 
uation factors at the receiving end. To counter this problem, the attac- 
ker could introduce an active tap which would repeat the signal compensa- 
ting for any attenuation, but this again necessitates interruption of the 
fibre which should be detectable. 



ii5i2_Hiflher_Level_Threats 

In the previous discussion it was assumed that the attacker was 
tapping the network itself to gain the information or send the messages he 
required. These are basically attacks against the lower layers of the DSI 
model. We now look at the case where the attacker has gained entry 
(either an authorized user making unauthorized use or someone obtain 
ng authorized use by breaking the login procedure). From this point 
on the network serves merely as a transport method for accessing the 
service under attack. (This is shown in Fig. 7-8). All safeguards 
incorporated into the lower protocol levels will be nullified once valid 
entry is obtained. 

The threats to the higher levels of the network can be quite 
varied. The main objective is to protect user data, data bases, hard- 
ware and the host operating system from deletion, modification, disclo 
ure and unauthorized use. Each type of data is different and will 
require a differ approach to secrecy and privacy. 

In this study, we will only be concerned with the problems of 
security in a network environment. At present, there is a strong inter- 
action between the various LAN configurations outlined above and each 
will have its own repercussions when the implementation of secrecy and 
privacy is considered. 

In the OSI model, security is introduced into level six of the 
model. If we look at the system model, there is a division of tasks 
between the network and the host computer. This division is shown in 
Fig. 8, Below this division, protocols are needed to protect the messages 
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on the network form the passive o-f active eavesdropper. Above the divi- 
sion, the network is used purely as a means o-f access and any attacks are 
directed at the host computer (we also consider here, the concept o-f the 
layered protocol is to make the operations o-f the underlying network trans- 
parent to the user). The isolation present in the OS I model also 
decouples any "real-time" protection form the upper layers, i.e., since 
the upper layers are independent o-f the lower layers such as the media 
access protocol, an authentication and data integrity system based on a 
time stamp approach could not be implemented at a high layer in the model. 
An example o-f this would be the wide variance of access times present in a 
moderately to heavily loaded CSMA/CD system. These examples tend to 
indicate that certain forms of protection must be implemented very close 
to the physical layer of the protocols in addition, some of the services 
may be built on top of these services at the low layers, thus we can 
conceive of a secrecy and privacy implementation which is, itself a 
layered protocol which uses the services of the layers underneath it. 



ii6_Network_Securi_tv^ 

The main objectives of network Security as defined in CB3-C103 are 

to: 

iJprevent unauthorized release (disclosure) of information 

ii) prevent unauthorized message addition, deletion or 
modi f i cati on 

iii) prevent unauthorized denial of resource use. 
Network security can be broken down into two subtopics; 1) Secrecy and 
Privacy techniques and 2) Authentication and Data Integrity techniques. 
Secrecy and Privacy techniques are intended to provide protection against 
passive attacks (as per requirement <i) ). Authentication deals with the 
ability to uniquely (and correctly) identify the originator of a message 
while Integrity deals with the uncorrupted transport of user messages 
(requirements (ii) and (iii) ) in the presence of active attacks. 

Many of the current approaches to secrecy and privacy are ad hoc in 
nature, many of them evolving as remedies for problems found in 
existing systems. A review of the various techniques which have been 
applied to networks can be found in references C113-C151. 



E3Ct_II_r_Qbservations_and_XmElS£DSDt2£i°Dl 
2 i l_Crvp_tanal.^tic_Ef f ort 

The primary objectives of a secrecy system can be summarized as 

follows: 

i> provide as much protection to the user's messages as possible 
(i.e. maximize the amount of work an attacker must perform in order 
to recover message contents) 

ii) minimize the amount of information which the attacker can gain 
if cryptanal ysi s is successful (i.e. this can be done by changing 
keys regularly or by using multiple keys in the system) 

iii) minimize the effort required to perform network maintenance 
i.e. to change keys, manage keys and to initiate secure communi- 
cations, etc. 

Q b .servati.on_I 

It is generally accepted that, from a secrecy and privacy point of 
view, the use of multiple keys in a network increases the protection for 
users* messages and decreases the amount of information an attacker can 
obtain by successful cryptanal ysi s. Thus, it is advantageous to maximize 
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the number o-f keys in the system (ideally, each user Mould have its own 
key). Unf ortunatel y, this leads us to deal with the problem o-f key 
management and distribution. If the number o-f keys is large, the problem 
o-f maintaining the security o-f the keys and distributing new keys requires 
serious consideration (this problem has been the object o-f considerable 
study C163-C173) . 

9 h .5S r .¥*ti2 n ._II 

Let's consider the e-f-fort required by the attacker to recover a key 
by cryptanalysis under the -following assumptions: 

i) a message on the network will belong to a class i , 1 <= i <= n, 
i-f it is enciphered with key 

ii) messages are indistinguishable be-fore cryptanalysis (i.e. 

source/destination in-formation is also enciphered as part o-f the 
message) 

iii) the attacker must recover at least two messages o-f the same 
class -for successful cryptanalysis 

iv) the probability o-f a particular message being o-f class i is 1/n 
(i.e. messages o-f the various classes are equally likely) 

v) the e-f-fort to cryptanalyze one pair o-f messages is 1 work unit 
Under these assumptions, we can calculate the expected number o-f tries and 
thus the expected e-f-fort the attacker must make be-fore recovering two 
messages of the same class. It is easily shown that the expected effort 
is: 

n 

E(W) = T i <(n-l)/n> i_2 <l/n> 
i=2 

= n 

Thus, the effort required by the attacker is linear in n, that is, 
increasing the number of keys by a factor m simply increases the effort 
required by the attacker by approximately the same amount. If we now 
consider the effort required to manage and distribute keys and it also 
increases at least linearly in n (i.e. it takes twice as much effort to 
manage two keys as one, etc. ) then nothing is gained by using multiple 
keys, that is, under these constraints, it is better use one key and 
change it regularly. 

An improvement could be made if we increased the effective number 
of keys without increasing the actual number of keys. In the next section 
we will examine one method by which this could be done. 



?i2_Hgr i z gnt al/ VerMcal _Ke^^na 

In part I of this paper we described the protocols of the IEEE 802 
standard and the OSI model. In that section we note that the message 
structure was such that the address and control information for a 
particular level (N) is encapsulated in the frame structure of the layer 
below (N-l). If we expand this structure as shown in Fig. 9, we see that, 
even though there are n entities at the top level, the address space is 
the product of the address spaces at each level (i.e. two messages can 
share the same address at layer N but are different at the (N-l) layer. 
Thus a unique path through the tree is defined even if addresses at the 
upper layers are reused. 

At this point we will introduce two terms; horizgntai;keying refers 
to the process of assigning individual keys to each of the n entities at 
the uppermost layer. If we take advantage of the reuse of address space 
and define a set of keys the number of which is equal to the address space 
of that layer and use multiple encryption i.e., the message is first 
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encrypted with the key of the peer destination entity , then passed to 
the next lower layer where it is encapsulated and encrypted using the key 
of the peer destination entity of that layer (Note: by default, each half 
of a transaction is separately encrypted thus presenting an even more 
difficult task for the attacker). Assuming a block type encryption method 
that does not expand the message (for example DES C18D) and the multiple 
encryption process cannot easily be factored, then the effective number of 
keys is the eroduct of the number of keys at each level while the actual 
number of keys is the sum of the number of keys at each level. If we look 
at the implementation shown in Fig. 5, where there are two layers (LLC and 
MAC), the maximum number of entities is: 

n - 2 16 * 2 6 « 2 22 
while the number of keys required in the system is 

k - 2 16 + 2 & = 0<2 16 > 
if all of the address space is used for just these two layers. 

As we noted in our discussion of the addressing format, when mess- 
ages (Protocol Data Units) are passed from layer N to layer <N+1), the N 
layer only needs to know the address of the appropriate Service Access 
Point (SAP) for that layer (i.e., upon delivery, address and control infor- 
mation is "peeled" away from the message). Thus, to implement the struc- 
tured enciphering method, we must ensure that the address information is 
easily recoverable at each level. This could be done by i Enciphering 
only the message portion of the PDU leaving the address information to be 
enciphered at the next lower layer or, i i ) enciphering the entire PDU 
including the addresses before passing it to the next lower layer. Upon 
delivery, method (i) allows the N layer to directly determine which N-SAP 
to pass the message to while method (ii) requires a test of all the keys 
at that layer (which will add overhead to the system). The advantage of 
method (ii) is that, even if an N— layer key is recovered, it does not 
reveal the grouping of messages for the (N+l) layer (i.e. which of the 
(N+l) layer keys the message is enciphered under). 

2 i 3_Secracy i _Pr^vacy A _Authent^cat^on_a 

In the previous part, we noted that the IEEE 802.2 LLC standard 
supports two types of services; loosely coupled unacknowledged connection- 
less service and a tightly coupled (by sequencing, flow control and error 
detection procedures) connection-oriented service. The requirements for 
secrecy and privacy in our definitions are met by the first type of 
service, that is, the multiple encryption scheme prevents the attacker 
from easily recovering information by passive techniques. If authenti- 
cation and data integrity is required, a connection oriented service 
should be used. The sequencing and error detection techniques integral in 
the service will prevent most active attacks. 

Summary 

We have shown that by using the hierarchical protocol structure 
proposed for local area networks, we can improve the difficulty presented 
to the passive attacker by using multiple encryption techniques. In most 
networks, a trade-off exists between the number of keys (which should be 
maximized) and the difficulty of distributing and managing the keys. By 



We assume here that the keys for a particular layer are known by all 
entities of that layer. In addition, since destination keying is perfor- 
med, there is a different key used for each direction of a conversation 
thus providing additional difficulty for the attacker. 



357 



using the address structure used in the protocol models, we can reduce the 
actual number o-f keys by a significant -factor while still presenting a 
high level o-f di-f-ficulty to the attacker. 

The use o-f the two types o-f services supplied by the IEEE 802.2 
standard, we can choose between a service which supports private and 
secret communication or one which tightly couples the communication in 
such a way as to allow authentication (i.e. prevention o-f active attacks 
on the network). 

We also note that these -features are transparent to the network 
users and -further services can be built upon these services <e.g. a Public 
Key System -for extra secrecy or digital signature, etc.). This area will 
continue to be an area o-f interest as more manufacturers begin to supply 
equipment con-forming to the new standards. 
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Abstract 

In a paper entitled "The Prisoners 1 Problem and the Subliminal Channel" 
[1], the present author showed that a message authentication without secrecy 
channel providing m bits of overt communication and r bits of message auth- 
entication could be perverted to allow an I < r bit covert channel between 
the transmitter and a designated receiver at the expense of reducing the 
message authentication capability to r-l bits, without affecting the overt 
channel. It was also shown that under quite reasonable conditions the detec- 
tion of even the existence of this covert channel could be made as difficult 
as the underlying cryptoalgorithm was difficult to "break." In view of this 
open — but Indetectable — existence, the covert channel was called the 
"subliminal" channel. The examples constructed in [1], although adequate to 
prove the existence of such channels, did not appear to be feasible to extend 
to Interesting communications systems. Fortunately, two digital signature 
schemes have been proposed since Crypto 83 — one by Ong-Schnorr-Shamir [2] 
based on the difficulty of factoring sufficiently large composite numbers and 
one by Gamal [3] based on the difficulty of taking discrete logarithms with 
respect to a primitive element in a finite field — that provide ideal bases 
for implementing practical subliminal channels. This paper reviews briefly 
the essential features of the subliminal channel and then discusses implemen- 
tations In both the Ong-Schnorr-Shamir and Gamal digital signature channels. 

* This work was performed at Sandia National Labortories supported by the U.S. 
Department of Energy under contract No. DE-AC04-76DP00789 . 
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Introduction 

The subliminal channel was first conceived of as a way of "cheating" in 
an authentication without secrecy channel of the type considered for various 
treaty compliance verification schemes [4,5]. More recently, it has been 
recognized that several digital signature schemes lend themselves equally 
well to subliminal communictions . Since there are some (significant?) dif- 
ferences between the two, we briefly review the first formulation — based on 
perverting a message authentication without secrecy channel — and then dis- 
cuss how such channels can also be concealed in digital signatures. 

In order to communicate m bits of information and to provide for r bits 
of authentication, at least m+r bits must be exchanged. The r bits are in a 
strict sense redundant information since they are only used by the receiver 
to partition the set of all possible messages into disjoint subsets of accept- 
able (i.e., authentic) and unacceptable messages. In complete generality, 
authentication, with or without secrecy of the information from an opponent 
depends on the message containing information already known (in some sense) 
to the receiver. The receiver equates the presence of this prearranged 
Information with the authenticity of the message. Conversely, the absence 
of this information is interpreted to mean that the communication is not 
genuine. For example, authentic messages may be required to include a "one 
time" suffix known in secret to the transmitter and authorized receiver but 
not to an opponent, as is the common practice in military authentication 
systems. Since the opponent must be prevented from simply "stripping off" 
the authenticating information from a genuine message and appending it to 
a fraudulent or altered message, the Information — both message and authen- 
ticating — is generally secured from outsiders by encryption. In order 
to make each symbol or collection of symbols in the cipher — which 
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the opponent may alter — be a function of all of the symbols in both the 
message itself and in the authenticator , the encryption is commonly done 
as a block cipher (if m+r is small enough) or else as a block chain or 
feedback cipher, so as to produce the desired "spreading" of symbol depen- 
dence. In any event, if the cryptoalgorithm is adequately secure, the prob- 
ability of the opponent being able to deceive the receiver into accepting 
a fraudulent or altered message as authentic is bounded by: 

pa > 2 " r • 

In a message authentication without secrecy channel, a third party, 
commonly called the "host" to the communication channel from the origins of 
this problem in systems to verify compliance with a comprehensive nuclear 
weapons test ban treaty, is given the means to decrypt the cipher and thus 
verify that nothing other than the agreed upon message is contained in the 
cipher. If a single key cryptoalgorithm is used, this is done by giving him 
the encryption/decryption session key used to encrypt the Immediate past 
message as soon as the exchange has taken place. If a two-key cryptoalgor- 
ithm is used, he is given the decryption key in advance of the exchange. 
For single key cryptographic systems, the host must "trust" the transmit- 
ter/receiver until he receives the decryption key corresponding to the 
last cipher exchange — which if the message is very long may involve an 
unacceptable level of risk (to him) of covert communication. There is no 
way of avoiding this problem for single key systems though, since if the 
host has the key In advance so that he can decrypt the cipher, he could also 
encrypt and hence create an undetectable forgery. The essential — and vital 
— difference for two key cryptosystems is the absence of this need for even 
a temporary "trust" by either party of the other since the host can have 
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the decryption key in his possession prior to any exchange of messages, and 
hence have the ability to verify the message content prior to forwarding the 
cipher. On the other hand, since the host cannot infer the unknown encryption 
key, the transmitter /receiver are confident that he cannot better his guessing 
odds of choosing an acceptable cipher. Actual authentication without secrecy 
channels are frequently much more complex than this simplified description 
suggests. The chapter entitled "Message Authentication Without Secrecy" in 
Secure Communications and Asymmetric Cryptosystems [4] is recommended for a 
more complete discussion of this concept. 

The essential points to an authentication without secrecy channel are 

that; 

a) the receiver authenticates a message through the presence of r 
bits of redundant, i.e., expected, information in the decrypted 
cipher, 

b) the host to the communication channel verifies that nothing has 
been concealed by decrypting the ciphers and verifying that the 
resulting message is precisely what he expected based on an a priori 
knowledge of the message. 

As mentioned before, the channel is operationally different for the host 
depending on whether it is based on a single or two key cryptoalgorithm since 
this determines whether he can check for concealed Information before or 
after the exchange occurs. However, this does not alter the way in which he 
satisfies himself that nothing is concealed — namely, that the cipher decrypts 
to the expected message. 

The essential idea involved in setting up a subliminal channel as an 
indetectable part of a message authentication without secrecy channel is 
simple. We assume that the authentication channel has been implemented using 
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a two key cryptoalgorlthm. In this case the host and/or opponent are given 
the decryption key, d, in advance to enable them to verify that the overt 
channel is not being misused — which it isn't. The public (decryption) key 
cryptoalgorlthm, though, isn't quite what It appears to be. For the moment, 
assume that there are two ciphers corresponding to each message, either of 
which will decrypt, using the public decryption key, into the same (correct) 
message. The host, given either one of a pair of such ciphers, would decrypt 
it using his decryption key and be convinced that nothing was hidden in the 
message which, technically speaking, is true. The receiver however, could in 
addition to decrypting the cipher to authenticate the message and to recover 
the overt communication, also be able to learn as much as one additional bit 
of Information from the identity of the particular cipher used to communicate 
the message. It is this "side" channel that Is called the subliminal channel. 

Figure 1 shows schematically what the host has agreed to and believes 
is taking place, i.e., the classical two key message authentication without 
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Figure 1. Two Key Message Authentication Without Secrecy Channel 
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secrecy channel. tTl Is the set of all possible messages while M is the subset 
of messages that have the prearranged redundant information and hence will be 
accepted as authentic by the receiver. For example, if the information is a 
48-bit binary number and the authenticating information is a suffix consisting 
of a 16-bit string of zeroes, m is the set of 2^4 64-bit binary numbers while 
M is the subset containing only the 2^8 64-bit numbers that end in 16 zeroes. 
It is assumed that the encryption function is a good randomizer, i.e., that 
the ciphers, C^, produced by encrypting the messages in M "spread" over the 
total of 2^ ciphers in C in such a way that the opponent — even if he knows 
the encryption function (but not the encryption key e of course) and arbitrar- 
ily many message/cipher pairs cannot do better at choosing a cipher in than 
random guessing. The existence of !Ti as opposed to M is unimportant to the 
transmitter since he only encrypts messages from the subset M, i.e., messages 
that will be accceptable to the receiver. The existence of ITi is vital, how- 
ever, to both the opponent and receiver, since it provides the means by which 
the receiver detects and avoids deception. Using the decryption key, d, the 
receiver and the host/opponent can decrypt any message in C A into the proper 
m £ M. is of course unknown (to the opponent) and as difficult to deter- 

mine as the cryptoalgorithm is cryptosecure . If the opponent chooses a 

|C | 

cipher at random, it will with a probability like — — " ^ ^ be a cipher in C u 
and hence be rejected by the receiver as not being an authentic communication- 
This Is what the host believes is happening, and indeed is all that is veri- 
fiable by him. 

Figure 2 shows what is actually taking place though (in our simple one- 
bit example). Instead of there being a single encryption key, e, as claimed 
by the transmitter/receiver and as believed by the host, there are actually 
two encryption keys, and &2> eac{l °f which encrypts the set of acceptable 
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Figure 2. One Bit Subliminal Channel 



messages into a corresponding set of acceptable ciphers disjoint from the 
set of acceptable ciphers produced by the other key. The special feature 
of the cryptoalgorithm is that either of the ciphers produced by encrypting a 
message with or e 2 decrypts under the key d to aj. As indicated by the 
bold lines in Figure 2 for the specific choice m^ = m^: 



ECmi.e!) = c tl ^ c i2 - E(m i> e 2 ) 



while 



D(c tl ,d) = m t = D(c i2 ,d) . 

Our convention will be that the transmitter will use &i to encrypt if he 
wishes to send a 0 to the receiver and e 2 to send a 1. The receiver, know- 
ing d, ei and e 2 can easily detect the subliminal bit sent by the transmitter. 
He first decrypts the cipher c using d to recover an to e ttl . If the message 
is authentic, i.e., m = m^ e M then the received c was actually one of a pair 
of ciphers, c-q or c^ 2 - If o £ M, then of course the communication would be 
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rejected by the receiver as Inauthentic. If is authentic, he then encrypts 
it with both e^ and e2 to calculate c^ and c^2 an< * hence to determine which 
cipher was used by the transmitter, i.e., to determine which encryption key 
was used and thereby to detect the subliminal bit. It should be obvious from 
this example how the technique can be extended to allow for an arbitrary 
amount of information to be passed through the subliminal channel. In [1] 
we discussed one cryptosecure subliminal channel based on the difficulty of 
factoring sufficiently large products of three distinct primes — which 
unfortunately couldn't be extended to practical, large capacity, subliminal 
channels. In the next section we show how to hide a large capacity sublim- 
inal channel in digital signatures. 

The Subliminal Channel 

Ong, Schnorr and Shamir recently proposed a computationally efficient 
digital signature channel based on the difficulty of factoring large composite 
numbers [2]. In the interest of both completeness and brevity we summarize 
the essential points in their scheme for the three steps: key generation, 
signature generation and signature verification. 

Key Generation 

1. Tx chooses a composite n which is computationally infeasible to 
factor. The factorization of n is kept secret (if known). 

2. Tx chooses a random u, (u,n) ■ 1, and calculates k*-u _ - (mod n). 
u is kept secret. 

3. Tx publishes n and k as his authentication key. 



372 



Signature Generation 



Given a message m, (m,n) « 


1, to be "signed"" 


1. Tx chooses a random r, 


(r,n) « 1. r is kept secret. 


2. Tx calculates 




s l " 


i (H + r ) (mod n) 


s 2 " 


- r) (mod n) 


3. The triple (m, s^, S2) 


is transmitted as the "signed" message. 



Authentication of Signature 

1. Rx receives (m, sj_, 82) 

2. Rx calculates 



a 5 s£ + k. • s£ (mod n) 
3. The message m is accepted as authentic if and only if 

a =* m 

It is important to note that in the digital signature scheme just des- 
cribed, that if we let X « j^log^n^, 3 A bits (on average) are transmitted 
in a signed message (m, s^, 82)* This communicates I bits of information 
overtly, and since there are approximately 2 signatures for any given mes- 
sage, provides approximately X bits of authentication in the signature. The 
remaining X bits are "wasted" in the digital signature scheme. We propose to 
use these "free" bits for the subliminal channel. In this respect, using the 
digital signature channel to implement a subliminal channel differs from 
what was proposed in [1] where the subliminal bits were obtained by giving up 
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an equal number of bits from the authentication channel. This difference 
will also be true for the other digital signature scheme discussed later. 

To set up the subliminal channel, in addition to the steps taken by the 
transmitter in the key generation procedure for the digital signature scheme, 
the transmitter secretly communicates u to the designated receiver, Rx^, for 
the subliminal channel. Now, when the transmitter wishes to send a signed 
message m through the overt channel and a covert message m* through the sub- 
liminal channel, where it is still desired that both the Bbc^ and third par- 
ties be able to verify the authenticity of the signature to m, the transmit- 
ter generates the signature as follows. 

Signature Generation for the Subliminal/Signature Channel 
Given a message ra, (m,n) » 1, to be "signed" and a message m*, 
(m*,n) » 1, to be communicated subliminally : 

1. Tx calculates 

s n - - / — + m* ) (mod n) 
2 \ ro* / 

s, - HL /H_ - m* \ (mod n) 
1 2 I m* } 

2. The triple (m, S]_, S2) is transmitted as the "signed" message. 

Authentication of the signature by either the designated receiver, Rx"'' , 
or by third parties is unaffected by the presence of the subliminal communi- 
cation. The designated receiver, however, knowing u can solve for the sub- 
liminal message as follows: 
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Decoding the Subliminal Message 



The subliminal 


Rx^, given (m, 


3^,82) and knowing u, calculates 




m* 


m fmod nl 






Sj^ + S2U 


to recover the 


covert message 


m* "hidden" by the Tx in the signature 


of m. 







The 3A bits (on average) contained in the signed message (m, s^, S2) 
have now been fully used to provide for an I bit overt channel, an 3L bit 
covert channel and Jt bits of authentication. An opponent or outsider is 
faced with an equally difficult (computational) task in detecting either 
that the subliminal channel exists or is being employed and in breaking the 
digital signature scheme. 

Gamal has proposed a digital signature scheme [3] based on the difficulty 
of taking discrete logarithms with respect to a primitive element in a finite 
field GF(p). Following the same procedure adopted in presenting the Ong- 
Schnorr-Shamir digital signature scheme, the Gamal scheme also involves the 
same three steps: key generation, signature generation and signature veri- 
fication. 

Key Generation 

1. Tx chooses a finite field GF(p), p a prime, and a primitive element 
a; e GF(p) . This is public information and need not even be unique 
to the transmitter. 

2. Tx chooses a random u, u < p, and calculates k » oP. u is kept 
secret . 

3. Tx publishes k — and if need be p and to — as his authentication 
key. 
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Signature Generation 
Given a message m, m < p, to be "signed": 

1. Tx chooses a random r, (r, p-1) » 1. r is kept secret. 

2. Tx calculates 

x * (if 

and solves for y in 

m S ux + ry (mod p-1) 

using the Euclidean algorithm. 

3. The triple (m,x,y) is transmitted as the 9igned message. 



Authentication of Signature 

1. Rx receives (m,x,y). 

2. Rx calculates 

a » k x x v 

3. The message m is accepted as authentic if and only if 

bP = a . 

In the Gamal digital signature scheme, where I - j^log^pj, Just as in 
the Ong-Schnorr-Shamir digital signature scheme, 31 bits are transmitted to 
provide an I bit overt channel and S. bits of authentication capability. We 
can use the I bits left over to achieve another subliminal channel. 

To set up the subliminal channel, in addition to the steps taken by the 
transmitter in the key generation procedure, the transmitter secretly com- 
municates u to the designated receiver, Rx^, for the subliminal channel. 
Now, when the transmitter wishes to send a signed message m through the 
overt channel and a covert m* through the subliminal channel — where it is 
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still desired that both the Rx'f and third parties be able to verify the 
authenticity of the signature to m, the transmitter generates the signature 
as follows: 

Signature Generation for the Subliminal/Signature Channel 
Given a message m, m < p, to be "signed," and a message m*, m* < p, 
to be communicated subliminally : 

1. Tx calculates 

* 

m 

X = U) 

and solves for y in 

m = ux + m*y (mod p-1) 

using the Euclidean algorithm. 

2. The triple (m,x,y) is transmitted as the signed message. 

Authentication of the signature by either the designated receiver, Rxt, 
or by third parties is unaffected by the presence of the subliminal communi- 
cation. The designated receiver, however, knowing u can solve for the sub- 
liminal message as follows: 

Decoding the Subliminal Message 
The subliminal Rx"!" , given (m,x,y) and knowing u, calculates 

m* « y - ^(m-ux) (mod p-1) 

to recover the covert message m* "hidden" by the Tx in the signature 
of m. 



The general principles underlying the implementation of a subliminal 
channel in a digital signature scheme, as illustrated in the preceding two 
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examples, are probably applicable to digital signature schemes in general. 
One of the author's colleagues, John DeLaurentis , has shown how to realize a 
subliminal channel in the earlier Ong-Schnorr digital signature scheme [6] 
and the author has more recently shown how to use the cubic OSS-signature 
scheme [7] in a similar manner. Both of these cases are more complex to use 
than the two discussed here — but are fundamentally the same. The bottom 
line is that (several) digital signature schemes can be adapted to provide 
high capacity subliminal channels — in which equally much information flows 
through the covert channel as through the overt channel. 

Postscript 

In the week following Eurocrypt 84 at which this paper was presented, 
J. M. Pollard successfully cryptanalyzed the Ong-Schnorr-Shamir digital 
signature scheme [8]. This development doesn't affect the validity of the 
concept of the subliminal channel, but it does eliminate from consideration 
what was the most attractive and practical implementation. 
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1. Introduction 

An Oblivious Transfer protocol (O.T.) is defined as a transfer of information from one party (Alice) to another 
(Bob) with the following properties: 

1. Bob has a chance of -i- of obtaining a message M. 

2. The probability that Alice correctly guesses whether or not 

Bob obtained M is — . 

2 

The following implementation of O.T., based on the assumption that factoring is hard, was proposed by Rabin. 1 
The message M is composed of two large primes p and q. 

Rabin's Oblivious Transfer Protocol 

step 1: Alice sends Bob N = pq. 

step 2: Bob chooses a random number x£Z N and sends z 2 mod N to Alice, 
step 3: Alice sends u to Bob where u is a square root of x 2 mod N. 

A quadratic residue x 1 mod N has exactly four square roots. Distinct roots x, y such that I -y {mod N) are 
called twin roots of x 2 . Given twin roots of x 2 , it is possible to efficiently factor N (since GCD(i + y,N 1). If 

Bob and Alice follow the protocol, Bob has a chance of -i- of obtaining twin roots of x 2 , thus factoring N (obtain- 
ing p and q). 

The following problem with Rabin's protocol has not been solved: 2 

It U eonceivsile that Bob has a routine P which 
chooses a quadratic residue r mod N such 
that given any root of r Bob can factor N. 

If Bob has P then he will always be able to factor N. 

We present an O.T. protocol which is pro v ably secure. In addition, our protocol can be used to send many messages 
under the same modulus N without compromising N's factorization. In applications of the O.T. it is important for 
Alice and Bob to obtain receipts so that a third party (i.e. a judge) can tell from these receipts whether or not Bob 
obtained M. The following problem arises: 

Once Bob has obtained the message, how can we 
revent him from lying about the information that 
e originally sent to Alice? For example, if Bob 
obtains the factorization of N, he can lie about 
which root of x modN he originally had. 

The only solution we know of for this problem in Rabin's protocol is as follows: 

At step 1 Bob sends x 2 = f(d) 2 mod N, where / is a one-way function and d is randomly chosen from the 
domain of /. Then, after the protocol, Bob can prove to a judge that he knew j = /(d) by displaying d = f~ i (x). 

Using one-way functions is clearly undesirable since the protocol cannot then be proven secure. In our protocol, the 

factorization of the modulus is never revealed. This makes it possible to solve the problem above without using 
one-way functions. 
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2. Terminology and Axioms. 

Definition: A number N = pq, where p = q = 3 morf 4 are distinct primes and \log{— )| < 2 is called a Blum 
integer. 

Assumption 1 (about the model of computation) We assume Alice and Bob have computational power equivalent to a 
poly-time probabilistic Turing Machine (PTM). 

Assumption £ (Factoring Blum integers is hard): Let M be a poly-time PTM. Let p. be the probability that M fac- 
tors a random n-bit Blum integer. Then p.— *0 as n-*oo. 

Assumption S (about the message space): Every positive integer < N is a valid message. However, Bob knows that 
the message M is drawn with a uniform probability distribution from a space of possible messages, MS, of size 
> aN for a fixed constant 0 < a < 1. MS is the set of integers in Z N which have a non-zero probability of being 
chosen by Alice. 

Definition: The length of a protocol is the total number of bits transferred between the parties in the protocol. 
Definition: Whenever the set of possible messages is finite, it is very hard to guarantee that Bob will obtain the 

message with probability exactly -i-. This is true even if we assume that both parties follow the protocol, since Bob 

has a positive probability of simply guessing the message. Instead, we achieve probabilities which deviate by an 

arbitrarily small t from -j. We call this £ the bias of the implementation. 

Definition: (In an O.T. implementation with bias e ) Alice cheats Bob if, when Bob follows the protocol, Alice, by 
deviating from the protocol, is able to: 

i) determine with probability > — + e whether or not Bob obtained M; or 

ii) diminish Bob's chances of obtaining M to less than — - e. 

Definition: (In an O.T. implementation with bias t) Bob cheats Alice if, when Alice follows the protocol, Bob, by 
deviating from the protocol, is able to obtain M with probability > -i- + t. 

Definition: An implementation of O.T. in which it is not possible for either Bob or Alice to cheat is called secure. 
Given this terminology our goal is to describe an implementation of the O.T. with arbitrarily small bias. 
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3. A Provably Secure Oblivious Transfer Protocol. 

Step 1: Alice sends a random n-bit Blum integer, N, to Bob. 
Alice knows the factorization of N, but Bob does not. 



Step 2: Alice convinces Bob that N is a Blum integer except for the 
fact that p and q might be raised to odd powers. 
(See proof of theorem 4) 



Step 3: Bob chooses a random integer x£Zs and 
sends x mod /V to Alice. 

Step 4: Alice sends SI 2 mod N, where M is her private message; 

b = Jacobi symbol |"T^J; an< ' a random root w of Afx 2 mod N to Bob. 

{At this pojnt the message is defined to be the unique root of M 2 mod N 
less than — and with Jacobi symbol b.} 

2 

Step 5: To insure that w is not junk, Bob verifies that — r- ss M 2 (mod N). 

x 

Then, if Jacobi symbol |~^~J = Bob has the message. 

Using well known number theoretical algorithms all computations required by the protocol can be done in polyno- 
mial time in n. 

4. The protocol works -when both parties follow the protocol. 

First we show that, after step 4, Bob cannot factor N. For simplicity we ignore the Jacobi symbol since it is 

clear that it does not help Bob factor N. 

We think of Bob as a poly-time PTM B with oracle A (Alice). Oracle A takes as input a pair (N,* 2 ) where N is an 
n-bit Blum integer and z 2 is a quadratic residue in and returns a random root of M 2 ! 2 where M is a random ele- 
ment in MS. The input to B is an n-bit Blum integer N. B contains a routine P(N) which returns a pair (x,! 2 ) 
where z£Z N . B is allowed to make one call A(N,i 2 ) to A provided x 2 was generated by P, i.e. provided Bob knows 
a root of x 2 . 



Theorem 1: 

Let V» be the probability that B factors N given that N is a random n-bit Blum integer. Then i>,— >0 as n— »oo. 
Proof: Construct a PTM B'""' as follows: 
INPUT: an n-bit Blum integer N. 

B sm °" : simulate B on input N until B makes the call A(N,s 2 ); 
generate a random element M in Zn\ 
assume A(N,i ) returns Mx; 
continue simulating B. 



By assumption 3, the probability that M is in MS is a. Given that M is in MS the probability that ± Mx gets 

chosen as a root of M"x 2 is -i-. Thus the probability p„ that B""°" factors N is > yo^,. But B""" is a poly- 
time PTM and so, by assumption 2, p„->0. This implies ^,-"0 
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Theorem 2: 

Assume both parties follow the protocol. Let p, be the probability that Bob obtains M. Then 35 n-*oo- 

Proof: The roots of z 2 M* mod N are ±xM, and ±xL where L, M are twin roots of M 2 mod N. The probability 
that Alice sends ± xM is —. Thus p, > -i-. 

Let Ei be the event that Bob factors N. Let prob(Ei) = V»- Assume for simplicity that, given twin roots of 
M 2 mod N, Bob can factor N in 0 steps. Let E 2 be the event that Bob obtains M. Then 

Pa = prob{E 2 ) 

= prob[E 2 \E l )*prob{E 1 ) + prob{E i \^E i )*prob(-^E 1 ) 

< problEi) + prob(E 2 | -<E i ) 

< V. + prob(E 2 | -.£,)■ 

Now, given ->Ei, Bob can obtain at most one root of A/ 2 less than — . Thus he will obtain M if and only if Alice 
sends ± xM. The probability of this event is —. Thus prab(E 2 | -■jE7 l ) = -i-, which implies 
Pn = prob{E 2 ) < j + <l>, — j by theorem 1 . v 

Theorem 3: 

Assume both parties follow the protocol. Let N be an n-bit Blum integer. Let p„ be the probability that Alice 
correctly guesses whether or not Bob obtained M. Then p, — <■ -i- as n — ► oo. 

Proof: Let (/>„ be the probability that Bob factors N. If Alice guesses that Bob obtained M, then she is right if 
either Bob was able to factor N or Bob received ± xM (probability = -i-). Thus she is right with probability p, 

where -i- < p < -i- + y»„. If Alice guesses that Bob did not obtain M, then she is right with probability 1 - p, 

where -|- - ip„ < 1 - p < -i-. Thus P*€\-j - ^„,-j + 4>,\. By theorem 1, p, — • y as n — co. v 

Result 

Theorems 1,2 and 3 prove that our protocol works for honest parties. Now we must show it is secure. 
5. The protocol Is secure 

We will first assume Bob knows a root of z 2 mod N. Later we will drop this assumption. 
Theorem 4: 

Assume that at step 3 Bob knows a root of z 2 . Then Alice can not cheat Bob, nor can Bob cheat Alice. 

Proof: We look at possible deviations from the protocol and show that they are not useful or cannot be hidden. 
Assume Alice follows the protocol. At step 2 Bob must send a quadratic residue because Alice has the factorization 
of N and can decide quadratic residuosity. Theorem 1 shows Bob obtains at most one root of M 2 independently of 
how he chose x. Thus not choosing x at random does not constitute cheating. This exhausts the possibilities of 
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Bob cheating. 

Now assume Bob follows the protocol. We do not know of an efficient protocol by which Alice can prove to Bob 
that N is a Blum integer. However, the remainder of the proof relies only on the fact that N is the product of two 
distinct primes congruent to 3 mod 4, each raised to an odd power. 

N is the product of two distinct primes congruent to 3 mod 4, each raised to an odd power if and only if the follow- 
ing 3 conditions are met: 

a) The Jacobi symbol = 

b) N has exactly 2 distinct prime factors. 

cj quadratic residues have roots with distinct Jacobi symbols. 

The first condition is efficiently verifiable by Bob. Goldwasser and Micali s have shown that Alice can convince Bob 
(efficiently, securely and with exponentially small probability of error) that (b) holds. Blum 4 has shown Alice can 
convince Bob (efficiently, securely and with exponentially small probability of error) that (c) holds. 

N 

Now Bob knows that M 2 mod N has exactly 2 roots less than — and that these roots have opposite Jacobi sym- 
bols. At step 4 Alice defines the message to be the (unique) square root of M 2 mod N which has Jacobi symbol b 
and is less than She cannot avoid sending a root of A/ 2 mod N, and she has no way of knowing which root she 
is actually sending , v 



Theorem 4 assumes that Bob knows a root of x 2 mod N. The next theorem says Bob cannot cheat Alice at step 3 
by sending a quadratic residue without knowing one of its roots. 

Theorem 5i 

Assume Alice follows the protocol. If, at step 3, Bob does not know a square root of x', yet he has probability 
>jot obtaining M, then there exists an efficient probabilistic procedure to compute a root of x 2 mod N with 
exponentially small probability of failure. 

Proof: We think of Bob as a dishonest PTM B *«*•*"• with oracle A. Recall that oracle A takes as input a pair 
(N,z 2 ) where N is an n-bit Blum integer and i 2 is a quadratic residue in Zr and returns a random root of M 2 x 2 
where M is a random element in MS. 

The input to B d " k ""' is an n-bit integer N. Since Bob is dishonest we must drop the requirement that the routine 
P(N) returns a root of the quadratic residue z 2 . Thus P(N) will return only the quadratic residue x 2 . B lbsi "' s ' is 
allowed to make one call A(N,P(N)) to A. 

Let p, be the probability that fl*"*""' ge ts the message. We will use B^'"" to construct a parallel PTM B' m "' 
which computes a root of z 2 mod N. The sequential version of B'""' runs in polynomial time and computes a root 

of x 2 mod N with probability of failure (1 - — ) for an arbitrarily large constant r. The construction follows: 
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INPUT: an n-bit integer N. 

QSmart . 

simulate B"""""' until call A(N,P(N)) is made; 

{Let x — P(N)} 

For each of r processors do 

begin 

generate a random number yEZ.; { » I — is called the "fake message" } 
Assume A(N,x 2 ) returns y ; 
continue simulating B^" 4 ""' 

if B 4s *""' gets the fake message all processors stop; 
end. 

Lemma I: If any of the r processors gets the fake message then B"""' knows a root of x 2 . 
Proof; The processor that gets the fake message can compute v/? = vf-^/^rT 1 - v 

Lemma S: The probability that a particular processor gets the fake message is > — . 

4 

Proof: The probability that z = — lies in MS is a. Given that z lies in MS, the probability that ± y gets chosen as 

a root of z 2 x 2 is i. Given this event the probability that B d " k " at obtains the fake message is (by assumption) 

> —. Thus the total probability that a particular processor gets the fake message > — . v 
2 4 

Thus the probability that no processor gets the fake message < (1 - -^-) . Therefore, by Lemma 1, B m * rt obtains 
a root of I 2 mod N with probability 1 - (1 - -^-)' . v 
Theorems 4 and 5 establish that our protocol is secure. 
0. Generalizations 

We state without proof that the following generalizations do not compromise the security of the O.T. protocol: 

i) we may replace a by — }—r for a fixed polynomial p . 

J>(") 

ii) If the protocol is implemented "with receipts", i.e. Bob and Alice 
send a receipt for each message received, then Bob 

can prove to a third party whether or not he received M. 

iii) Goldreich has proposed a version of the Oblivious Transfer 
in which Alice transfers to Bob exactly one out of two 
recognizable messages A/, , M 2 . Our protocol can be easily 
adapted to perform Goldreich's OT as follows : 

Let XOR be the bitwise exclusive-or operator for bit vectors. 
Let L be the twin root of W,. Let Y = L XOR M 2 . 
(Notice that M 2 = L XOR Y) 
At step 4 Alice sends Y along with b and t/Mi'x 2 . 
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iv) if we wish to send many independently distributed messages, say 
q messages for a fixed integer q, we may replace steps 3, 4, 5 
of the protocol by the loop: 

for i:= 1 to q do 
begin 

Step 3: Bob chooses a random integer x,£Z N and 
sends z, s mod N to Alice. 

Step 4: Alice sends Af, 2 mod N, where M, is her private message; 

b = Jacobi symbol |-^"J; a random root w of M, 4 i,* mod N to Bob. 
{At this point the message is defined to be the unique root of M, s mod N 
less than — and with Jacobi symbol b.} 

IB 1 

Step 5: To insure that w is not junk, Bob verifies that — - = A/, 2 . 

K 

Then, if Jacobi symbol I — — — I = b, Bob has the message. 

end 

7. Conclusion* and Suggestions for Further Research 

Thus we have developed a provably secure implementation of the Oblivious Transfer protocol. In our implementa- 
tion it is essentially impossible for either Bob or Alice to successfully cheat. We have also shown that our imple- 
mentation has certain properties which will make it an important building block for designing secure protocols. 
Essential to this research is the creation of a formal model of a protocol. Once this has been accomplished, one 
could prove theorems about the ways that various protocols can be combined so that the security of the implemen- 
tation is not compromised. 
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Abstract 

We consider communication networks in which it is not possible to identify the 
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two-party protocol. We show that more than the existence of a secure Public Key 
Cryptosystem should be assumed in order to present a secure protocol for concurrent 
identification. We present two concurrent identification protocols: The first one relies 
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while the second protocol relies on the distribution of "experimental sequences" by 
instances of a pre- protocol which have taken place between every two users. 
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1. Introduction 

Let N be a sot of users in a communication network in which it is not possible 
to identify the source of a message broadcasted on the network . Thus, 
identification of the source of a message can only rely on the content of the message. 
Clearly, this would require some sort of a secure authentication scheme as well as a 
secure protocol which makes use of it. 

The task of reaching concurrent identification is somewhat more involved. It 
requires not only that identification takes place but also that it takes place concurrently; 
i.e that through this process there would be no situation in which one party had 
a "substantial" advantage in guessing and/or computing his counterpart's identity. 
Methods for reaching concurrent identification may be of value in certain business 
environments in which transactions are carried out in two stages: first reaching an 
anonymous agreement and only then yielding the identities of the parties to the 
agreement, as quickly as possible. (An example of such an environment is a future stock 
exchange without brokers[dealers] or even a present stock exchange controlled by an 
agency that wishes to prevent biased deals.) 

Clearly, if one allows the participation of trusted third parties in the concurrent 
identification process, trivial solutions exist. However,we are interested in the existence 
of two-party protocols through which concurrent identification takes place (hereafter 
referred to as Concurrent Identification Protocols or as cips). 

In Sec. 2 we show that the mere existence of a PKCS (Public Key Cryptosystem 
[DH]) and a public file of all public keys does not suffice for the existence of a secure 
cip in the net (i.e. there exists no secure cip in such a net). 

In Sec.3 we present a cip which relies on a trusted center which has prepared and 
distributed "identification tags" to the users at the time the net has been established. 
(This center does not participate in the cip!) The number of transmissions 
needed to distribute these tags is linear in the number of users; thus the complexity 
of establishing a net in which this cip can be used securely is still linear in the 
number of its users. This fact combined with the simplicity of the cip itself makes its 
implementation reasonably practical. 

In Sec. 4 we present a secure cip which does not rely on the honesty of some 
center nor even on its mere existence. Instead this cip relies on information which has 
been passed between every pair of users , via instances of a pre-protocol which have 
taken place at the time the net was established. The fact that the pre-protocol is fairly 
complicated combined with the fact that 0(|iV| 2 ) instances must take place, cause 
this concurrent identification scheme to be impractical, especially for large networks. 
However it demonstrates that concurrent identification can take place even if no center 
exist (at the time the net has been established as well as later). 

In both Sec. 3 and 4 we assume the existence of secure cryptosystems, in particular 
the existence of a secure public key cryptosystem (PKCS)[DHJ. 
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A natural problem which arises when designing identification protocols is the 
replay problem, which is hereafter described. User A may try to impersonate user 13 
by using information H has revealed to him in previous instances of the identification 
protocol. Note that this information has been used to authenticate B and can be used 
by A to cheat C, unless the protocol has features which prevent such an attempt to 
cheat. In case of simple identification it is enough to ask for a signature to some time 
dependent message. (Note that this can not be done trivially in a cip since a signature 
to any message will immediately reveal the identity of the signer.) 

To solve the replay problem in the concurrent identification protocols presented 
in this paper we use an Oblivious Transfer (OT) subprotocol. The notion of OT was 
first introduced and implemented by Rabin [R]. Another definition of OT, which we 
believe to be more natural, was suggested by Even,Goldreich and Lempel [EGL] (and 
implemented using any PKCS). By their definition an OT of a recognizable message 
,M , is a protocol by which a sender ,S, transfers to a receiver ,R, the message M so 
that R gets M with probability one half while for 5 the a-posteriori probability that 
R got M remains one half. In this work, we use a modification of the above definition; 
for details see the Appendix. 

2. Necessary Conditions for the Existence of a CIP 

it was already mentioned that no cip (as well as no identification protocol) can 
exist in a net if it is not assumed that the users are provided with some secure 
cryptographic identification scheme. We will assume the existence of both a secure 
conventional cryptosystem (e.g. the DES[NBS]) and a secure PKCS. However, we shall 
show that this assumption does not suffice to allow the existence of a secure cip, 
namely: 

Theorem 1: A cip, which relies only on the existence of secure cryptosystems (the 
instances of which are free of any relation other than the cancellation of encryption 
by the corresponding decryption and vice versa) and a public file of all public keys , 
can not be secure. 

The proof appears in the full version of this paper. 

To conclude this section we point out that the "replay problem" is trivially solvable 
only under irreasonable assumptions, namely: 

(i) Each user eavesdrops on all the instances of the cip and records the information 
he reads. 

or 

(ii) Each user notifies all the other users about every instance of the cip he 
participates in. 
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3- A CIP which Relies on Preparations by a Trust ed Center 

In this section we show how identification tags distributed, to the users, by a 
trusted center can grant the existence of a cip. The center can distribute these tags at 
the time the network is established. The center must be trusted not to collaborate with 
any user, in the process of distributing the tags as well as during the time the cip is 
run. It is preferred that the center would seize to exist after distributing the tags.The 
tags will bear the center's signature and thus be unforgablc. Every user can protect 
himself against the replay of his tags (by other users), by using a tag only once. Thus, 
the center should provide each user with enough tags. 

We assume the existence of a secure PKCS (e.g. the RSA[RSA]) and of a 
conventional cryptosystem (e.g. the DES[NBS]).We also assume that all users have 
equel computing power. 

3.1. The Identification Tag 

Eefore describing the structure of the identification tag let us introduce some 
notation: 

(i) F denotes a conventional cryptosystem and Fk[M)[F~k{M)\ denotes the 
encryptionjdecryption] of M by F using the key K. 

(ii) Ex , Dx will denote the encryption and decryption algorithms of user X 
(i.e. the PKCS's instance generated by X). Note that Djf(M) can serve as 
X's signature to M. 

(Hi) C denotes the center. 

(iv) Nx denotes the binary representation of X's name. 

An Identification Tag (IT) of user X consists of three parts: 

(1) The header , which contains an (unforgeable) encryption of X's name : 
Dc[z,F y (S), Fy(Nx)) .where y is a randomly chosen key (of length k) to F and 
z is a random "serial" number. 

(2) The anti-replay part , which consist of n pairs of recognizable (and unforgeable) 
messages. The i-th pair denoted AR t - is (Dc{z,Li),D(;{z,Ri)). 

(3) The certified key-bits part , which consists of the bits of the key , which was used 
for the encryption of X's name, certified by the center: the certification of j/,- (the i-th 
bit of y) is D c {z, i, t/,). 

Note that all parts of a IT bear the same serial number and that they are signed by 
the center. User X is called the legitimate holder (or just the holder) of the above 
identification tag. (Note the although other users can have parts of X's tag only X 
can have all of it if he follows the cip described below properly.) 

Remark: S , the L^s and the i?,'s are arbitrary , fixed messages (i.e. invariant of 
X ,y and z). 

We remind the reader that these IT's will be distributed to the users by C at the 
time the network is established. Note that at that time only X has X's ITs. In the 
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next subsection we will present a cip in which A' uses one of his ITs to identify himself 
without yielding the entire IT. It will be shown that this prevents the replay of this IT 
by another user. 

3.2. The Protocol 

The cip described below uses an OT subprotocol which allows a user to send two 
recognizable messages such that : (1) his counterpart receives exactly one of them; (2) 
with probability one half the receiver receives the Orst message; (3) for the sender the 
a-posteriori probability that the first message was received remains one half; (4) if the 
sender tries to cheat the receiver will detect it with probability at least, one half. 

(An implementation of this OT is described in the Appendix and is based on ideas 
which first appeared in Even,Goldreich and Lempel [EGLj.) 

The cip proceeds as follows: 

(The parties to the protocol are denoted A and B) 
step 1 : (linking identity with a secret serial number) 

A chooses one of his unused ITs (hereafter denoted t^\) 

marks t& as "used" 

and transmits t^'s header to B. 

B acts symmetrically transmitting tg's header to A. 
(Each checks whether the center's signature 
to the header is authentic.) 
step 2: (protection against replay attempts.) 
for i = 1 to n do begin 

A sends to B one element out of t^'s AR, , via OT. 
B acts symmetrically w.r.t. ts • 

(Each uses the cheat detection mechanism of the OT.) 

end 

step 3: (decreasing the time of computing the identity.) 
for i = 1 to k do_ begin 

A transmits to B the i-th certified key-bit of tx • 
B acts symmetrically w.r.t. • 

(Each checks the signature certifying the bit received) 

end 

3.3. Analysis of the Protocol and the Structure of the IT 
Remarks (for X <E { A, B}) 

(Rl) The header of tx establishes a linkage among X's name (although encrypted) the 
key y (which is used for the encryption of both N x and the standard message 
S) and z (which is used as a serial number). It also provides information for the 
computation of y although this computation becomes feasible only during step(3). 

(R2) The anti- replay of t x allows X to protect himself against the replay of t X - Note 
that if X uses tx only in one instance of the protocol and execute this instance 
properly then he is (still) the only user in the net who knows both elements 
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of each ARj in £\. (Note that his counterpart to the cip instance only got one 
element out of each Alt;.) User Y ,Y 7^ X , will succeed in replaying t\ only 
if he is asked in the OT of each AR{ (which occurs in step (2) of the protocol) 
to disclose the element of AR{ which is known to him. Note that for Y, both 
the element he is asked to disclose and the element known to him are randomly 
chosen out of an Art, of tx (this is due to the use of the OT in step(2)). Thus, the 
probability that Y will succeed in replaying tx is bounded from above by 2~". 
Thus, a proper execution of step (2) of the protocol (only) assures the parties that 
the identiGcation tags are in the hands of their legitimate holders. 

(R3) The third part of tx (which is exchanged in step (3) of the protocol) allows the 
gradual decrease in the time of computation which is required to extract Nx from 
the header of tx- Nx is extracted by first finding the key y which transforms 
the message S into the cryptogram F y {S). Note that this computation becomes 
feasible (during step(3) of the protocol) only after the tag holder has proven 
himself to be the legitimate one (by succeeding in an unfaulty execution of step(2) 
of the protocol). 

(R4) If the rate ,in which the time which is required to compute Nx given the header 
of tx decreases, is considered to be too fast one may slow it down by using simple 
"exchange of half bit" schemes (e.g. Tedricks' schemes[T]). 

(R5) The interleaving in step(2) of the protocol is not material. 

(R6) One can use the "conventional OT" instead of the "one-out-of-two OT" for an 
oblivious tranfer of each element of the anti-replay. However, the analysis of such 
a protocol will be more involved. 

(R7) There is some similarity between the ideas used in the above anti-replay, and 
the ideas of Bennett et al. ([BBBW]). However, Bennett et al. consider a specific 
physical device which stores 2 messages such that only one of them can be read; 
while we consider a protocol through which one out of two messages is randomly 
transferred. 

We claim that this cip is secure provided the following assumptions hold: 

(Al) A trusted center has distributed the identification tags described in sec. 3.1 to 
the legitimate holders. (The center is trusted not to convey any information about 
the tags he has provided user X to any other user.He is also trusted not to yield 
his signature algorithm.) 

(A2) All parties have equal computing power. 

(A3) Both the conventional cryptosystcm and the PKCS used by the protocol are 
secure. (No one can forge C's signature. Extracting M from Fk(M) given S,Fk(S) 
and some of K's bits requires exhaustive search on all keys which match the 
known bits of K ; when no bit of K is known this computation is infeasible. ) 

Theorem 2: If the above assumptions hold and a user ,U, plays the protocol properly 
then the following hold: 
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(1) In any phase during the execution of the protocol.if U's counterpart 
can lind out U's identity using expected time t then U can 

find out what is claimed to be his counterpart's identity in about 
the same expected time. 

(2) If U's counterparts is honest U will find out his identity. 

(3) If U's counterpart is impersonating then with high probability 
(l — 2 _n ) U will find this out before reaching a stage 

in which the computation of his identity is feasible. 

The proof appears in the full version of this paper. 

4. A CIP which Relies on Preparations by Instances of a Pre- 
Protocol 

In this section we (only) assume the existence of a secure PKCS. We show how a 
pre-protocol, played between every pair of users, can grant the existence of a cip in the 
net. Note that we do not assume that there exists some (trusted) center and that we do 
not assume that all parties have equal computing power. (It should be stressed that we 
do not refer to the public file of the users' encryption keys as a center.) Since instances 
of the pre-protocol must take place between every pair of users, the result of this 
section .although being of theoretical interest, is practical only for "small" networks. 
The purpose of the pre-protocol is to distribute secure experimental sequences which 
will be used in the identification process. These sequences will be unforgeable and will 
yield the identity of their legitimate holder 1 if some parts of them are read completely. 
However it will be possible to give away only small (still unforgeable) fragments of the 
sequence yielding only a "small amount of information" about their legitimate holder. 

The idea behind the implementation of these experimental sequences (hereafter 
referred to as SES's) is to allow a user to conduct experiments on the bits of another 
user's name. The experiment is gauranteed to give a result equal to the tested bit with 
some fixed probability greater than one half. Thus conducting enough experiments 
on a bit gives certainty of knowing its right value ; whereas on the other hand a 
single experiment does not give much information about the corresponding bit. The 
cip consist of letting each user experiment on each of his counterpart's name bits by 
just sending one entry in the experimental sequence. The implementation of a process 
which constructs secure experimental sequences is discussed in the full version of this 
paper ([G]). (Its essence is that the SES will be built anonymously by the user who will 
later experiment on it. The sequence will be built by flipping a biased coin so that its 
builder will only know the expected value of an entry in it and not the concrete value. 
This will be achieved by using an OT.) 

Remark: The idea of using a biased coin as a tool for exchanging a bit of information 
was suggested .independently, by Lubi,Micali and Rackoff in their MiRackoLus paper 
[LMR]. It should be stressed that the problem they were facing was much more difficult 

'As in Scc.3 it will happen that other users know part of the sequence but only one user (its holder) 
knows all of it, provided he follows the cip which reveals parts of it properly. 
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and their solution (a coin the bias of which is determined by the secrets of both parties 
and without yielding these secrets) much more inspirating. However , the author does 
not know of any reduction between the biased coin used here and the symmetric biased 
coin suggested in [LMR]; there are too many differences in the setting, conception and 
implementation! 

4.1. Sketch of the Concurrent Identification Protocol 

(The parties to the cip will be denoted A and B) 

(0) A notifies B which of J3's SESs he would like to examine. 
B acts symmetrically w.r.t A's SESs. 

(1) A checks whether he is communicating with the legitimate holder 
of the SES (i.e. B) . 

B acts symmetrically. 

(This is done by testing the anti-replay part of the SES 
similarly to the way it was done in the cip of Sec. 3.) 

(2) for i = 1 to q (the number of entries in a SES) dfi begin 

A transmits the i-th entry of his SES to B. 
B acts symmetrically. 

end 

4.2. Analysis of the Protocol 

Under the assumption that there exist SESs in the network it is straightforward 
to prove that the cip presented above is secure, namely: 

Theorem 3: If a user ,U plays the above cip properly then the following hold: 

(1) In any phase during the execution of the protocol,if for 
U's counterpart the entropy of U's name is e then for U 
the entropy of what is claimed to be his counterparts name 
is very close to e. 

(2) If C/'s counterparts is honest U will find out his identity. 

(3) If U's counterpart is impersonating then with high probability 
(1 — 2~") U will find this out before reaching a stage 

in which he has revealed any information about his identity . 

The proof appears in the full version of this paper. 
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7. Appendix: An Implementation of OT 

Assume S wants to transfer to R exactly one of the messages M\ ajid A/^such that: 

(1) R can recognize both M\ and Mi 

(e.g. they are signatures to known messages). 

(2) If 5 is honest then R gets M\ with probability one half. 

• For S the a-posteriori probability that R got Mi remains one half. 

(3) If S tries to cheat, R will detect it with probability at least one half. 

An implementation of this transfer proceeds as follows: 

(0) S chooses .randomly, two pairs (Ei,D\) and [Ei,Di) of 

encryption-decryption algorithms of the PKCS. 
R chooses .randomly, a key K 

for the conventional cryptosystem F. 

(1) S transmits E\ and E% to R. 

(2) R chooses .randomly, r£ {1,2} 

and transmits E T {K) to S. 

(3) S computes K\ = Di(E r (K)) .for z€{l,2}. 

S chooses .randomly, a €{1,2} and transmits 

to R, where M' a = Mi and M' z _„ = 
Remarks: 

(1) Assuming that K looks like random noise and that E\,E% have the same range, S 

can not guess with probability of success greater than one half which of the K J's, 
computed by him is the K choosen by R. 

(2) Assume that the instances of the PKCS are free of any relation other than the 

cancellation of encryption by the corresponding decryption and that K\ must be 
known in order to read M\. 

(3) By (1) and (2) if 5 is not cheating then R can read M\ iff % — r. Thus, he can 

detect cheating by S with probability one half. 

(4) In the RSA[RSA] scheme, distinct Efa may have different ranges. However, this 

difficulty can be overcome (see [EGL 1 ]). 

(5) One can use a one-time pad instead of the conventional cryptosystem F. 
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1 . Introduction 

We are mainly concerned with some open questions from [2] 
(see also Chap. 9 of the book [1]). Selecting permutations 
for speech scrambling with t.d.m. means to define a suitable 
weight-function or metric on S n (the full symmetric group) . 
This can be done in. a lot of different ways (see [12] p. 84) . 
In speech scrambling Houghtons shift factor 



may be taken as a weight function. We tried to use the genera- 
lized weight-functions m_, m, , . . . etc. 



They are of independent interest from a combinatorial , number- 
theoretical and probabilistic point of view (see [5, 6] , 
[10]). A thorough study reveals that m 2 should be preferred. 
An algorithm is given to generate permutations with a prescribed 
weight. The distribution functions of m^. approach a normal dis- 
tribution (mean and variance for k = 1 ,2 are known) for large n. 
This approximation is good, even if n is small (n >5) . To com- 
pute the distribution function by combinatorial methods seems 
to be extremely difficult, only a small number of values are 
known exactly. m 2 is related to the problem of representing 
an integer number as a sum of squares. 

Compared with other crypto- systems speech scramblers have the 
capability for testing. The approach taken in [2] for testing 
a t.d .m. -system is unsatisfactory because no statistical methods 
are used. We recommend rank correlation methods (see [10]) and 







i = 1 
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that means for example to use Spearman's p based on m. 



It should be noticed that we used the book [2] in its original 
form as a report (Arbeitsberichte des Instituts f. Mathematische 
Maschinen u. Datenverarbeitung ( Inf ormatik) . Bd. 1 4 , 9 ; . Erlangen, 
Marz 1982). All citations, page numbers etc. are given with 
respect to that original version of [2]. 

2- Weights on groups 

Let G denote a (multiplicative written) finite group with unit 
element id and N the natural numbers (zero included) . 

A mapping 

p: G -»• N 

will be called a weight-function on G, if 

(1) p(a) = 0 <=> a = id (a e G) . 

(2) p(a) = p(a~ 1 ) for all a e G. 

(3) p(a-b) p(a) + p(b) for all a,b £ G. 

By means of d (a,b) = p(a*b ^ ) we can associate a metric on G 
P 

to each weight-function on G. This metric has the property: 

d (a,b) = d (a.c, b .c) for any c e G; such a metric is called 
P P 

right-invariant. Conversely if there is a right-invariant metric 

d on G, a weight-function P^ta) = d(a, id) on G is associated 

to d. We are only interested in G = S , where S is to be under- 

n n 

stood as the full symmetric group on - {1,2,..., n} . There are 
many ways to define a metric on S n (see for example [4]) . Five 
common examples are given below, where |j a [| p is written instead 
of p(a) to emphasize the relationship to some well-known norm- 
functions . 

Examples <o , "iT fc 5 ^ ( n > 1 ) 




(k = 1,2,...) 



i = 1 
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b. Il^llj = number of inversions in 4. (if k<l and £<k)>^(l) 
we call this an inversion of 6 ) . 

d T (£,T) = the minimum number of pairwise adjacent transpo- 

1—1 

sitions needed to bring {^T C\),...,h- (n) > into the order 
{"« ~ 1 ( 1 ),..., {it -1 (n) } . Here 4~ 1 and ir~ 1 are the permuta- 
tions inverse to t> and TT . 



c . 

II 4> ll T = the minimum number of transpositions required to 
bring { 4 ( 1 ),..., £ (n) } into the order U,2,...,n}. 

d T (<£,iT) = the minimum number of transpositions required to 
bring { 4 ( 1 ),-.., 4 (n) } into the order {TT(1 ),..., T (n) } . 

d. || ^ j| = Max | d (i)-i I 

i = 1 , . . . ,n 

d ^ (i,T\) = Max i 6 (D- Mi) | 
i = 1 , . . . ,n 

e. II £ II H = | {i I 4(i)+ ill- (Hamming-Norm) 
djjl^ ,T) =|(i I 4(i)#TT(i) } | (Hamming metric) 

We have the following inequalities 

lUII^ * IUII, ^ iUH^ • ■ • ^ JUl k 

for all & 6 S . 

n 

For a general review of metrics on discrete groups and semi- 
groups see [ 3 ] . 



3 . Combinatorics 



We start our investigations on weight-functions on the S n by 
a combinatorial approach. We are especially interested in 

H ■ H 1 and II • \\ 2 and use the notation ( = II is II k ( 6 S n > 
given by J.L. Davison [5,6]. Let ^ t S n be the reverse 
permutation <? (i) = n+1-i (Hiin). Throughout the paper we 
will write ^ =(n, n-1,..., 1) and more general if £ = C il-i ) ^(>i0 
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is any permutation, then we will write i = ( & (1 ) , 1> (2) , . . . , & (n) ) 

Multiplication M £ , — eS n ) of permutations goes from right 

to left, e.g. if & = (2,3,4,1) , ~ = (4,1,3,2) then 6-""= (1,2,4,3). 



Lemma 3.1 If <a eS n , then m^ ( 6 ) < i\(^) and m^U) is an even 
integer for any k > 1 . 

Lemma 3 . 2 The maximal values attained by and ir^ are 

2 

is an even number ") _2 



f —-, if n 
M 1,n = m 1<5> '< , 



n -1 , if n is an odd number- 
2 



M 2,n = Vl> = J n < n2 "D 

(We use the shorthand notations , f^) - 

In table 3.1 we have listed the maximal values for the different 
weight-functions considered in section 2. Instead of H ' H T , 

II " ll^ ... etc., we use the shorthand notations T, I... and 
so on. As can be seen from table 3.1 the domain of the functions 
H, <*>, T is very small related to the number n! of permutations. 
That means it is impossible to make strong distinctions between 
different permutations. 



weight- 


function 


maximal value 


m 2 

m l 
I 




1 2 
jn(n -1) 

[In 2 ] 

-j n(n-1 ) 


H 

CO 




n 

n-1 


T 




n-1 




Tab . 3 


. 1 



A useful result due to Cayley states that T(£) = n -C(6), 
where C(£) is the number of cycles in & . If a permutation 
has an inversion at (k,i), 1:<k<Zsn, that means & Ck) > 6(1) 
then 6(k)-^,(Z) is called the weight of that inversion- 
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Lemma 3 . 3 Let V(£) denote the sum of weights taken over all 
inversions that £> has, then 

m 2 (6) = 2V(6) . 

Lemma 3.4 If h eS _(n>3) we can construct a ^eS with 
n— Z n 

m k (A) = 2(n-1 ) k + m k (?) . 

Theorem 3 . 1 For k = 1,2; m k (S n )C[0, M^] = 1^ and 

if n>4, let w be an even integer, we 1^. Then, there exists 

a^eS with m. (4) = w. 
n k 

Remarks The proof of theorem 3.1 goes through even if k>3, 
see Davison [6], Theorem 1 . p. 72. It should be noted that 
Davisons proof together with some corollaries are only true 
if k>3. As can be seen from the proof of theorem 3.1 the value 

is attained by only if I = $ and this remains true for 
k>3 and K^. What concerns m^ it can be seen by examples that 
it is possible to have m^ ( = and I, .In the case 

k>3 we have ^m k (S n ) for n>3 and that means not all even 

values in [0, Mj^] will be attained by m k - Let k=3 and n>10 
then all even numbers in [O, M 3 ~112] are in the range of m 3 . 
There exists indeed always numbers <* k , for all k>1 that 
have the properties : m. attains on all even numbers in 



[0, M-a k ] for n>n^. An optimal selection for k=1,2 will be 
n^=2, a^=0 and ^=4, 02=0. In case k>3 there are no nontrivi 
values of n k ,<* k known (see Davison [6] 3. p. 74). 



Definition 3.1 Let r be a real number, r>0. 

S( H-Il a , n,r) = { & 1 6 € S n , !UH a - r> { ^ ^ 

B( ||- || n,r> = { £j <£ £ S , IU II <r} 
a- n a 

I S (• , • , - ) 1 or I B (-,-,-) I denotes the number of elements in 

that sets. 

Theorem 3 . 2 We have 

((— 1 ) ^ if n is an even number. 

\ S(m. ,n,M.) |=< ,n-1,.2 . . ,, 

1 1 1 j n • (—2—!) if n is an odd number. 
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Theorem 3 . 3 We have for £,eS n (n>2), 
m 2 U)+m 2 (£■$) = M 2 n 
and m 2 ( ^ ■ £ ) = m 2 ( <o ■ ^ ) . 

Corollary 3.3.1 Let n>4, and let w be an even integer, 
1 2 

w etC-jntn -1)]. Then, there exists a £eS n with m^(i) = w. 

Lemma 3.5 Let n>5, then n (n 2 -1 ) /6 < (n-1 ) ((n-1) 2 -1)/3 and equality 
holds if and only if n=5. 

12 12 

Lemma 3.6 Let n£5 and w an integer number w e [-r- n(n -15 ,,-n(n -1)). 

- 1 2 12 6 

Then, either w = ^-n(n -1 ) -w %-4-(4 -1) or there exists a least 

- — — 1— —2 1— —2 

integer number .n, 5<n < n and w e (g" n ( n ~1 ) > 3' n ( n ~1 ) ) • 

12 12 

Lemma 3 . 7 Let n>5 and w an even integer with g-n{n -1)<w<-jn(n -1) • 

Then exists a permutation &€ S— with n<n and II ^ H 2 = w > 

where 6 is an extension of 6 from S— to S . 

n n 

2, is defined i)=i for i = n+1,...,n. 

This gives us a constructive method for finding for any given 
even number w, 0<w<-^n (n 2 -1 ) a permutation ^eS n with II 4 B 2 = w - 
We have thus proved any given integer w may be (constructive!) 
represented as a sum of squares (see Davison [5] Th.1.). 

Example ^Sg, (| ^ II 2 = we are booking for such a permutation. 

(1) w = 128, ^-8-3 = 84<128<168 =1-8-35, n = 8 

(2) v = 40, ^-6-35 = 35<40<70 = 1-6-35, n = 6 

(3) w = 30, 1-5-24 = 20<30<40 = 1-5-24, n = 5 

(4) 6= (3,5,2,4,1) e S 5 , II d, II 2 = 30 

(5) 6 = (3,5,2,4,1 ,6)eS 6 , II i> H z = 30 

I = (3,5,2,4,1,6) • (6,5,4,3,2/12,= (6,1,4,2,5,3) 

s ~"V ' 

|l7ll^= 40 s 

(6) % = (6,1 ,4,2,5,3,7,8) £S 8 , l| % \\= 40 
h = (8,7,3,5,2,4,1 ,6) = g 

|| iH- 1 23 = 7 2 + 5 2 + 0 2 + 1 2 + 3 2 + 2 2 + 6 2 + 2 2 
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It is possible to generate immediately a second permutation 
of m 2 -weight 128. We note that by theorem 3.3 it is admissible 
to multiply by ^ from the left side in steps (5) and (6) above. 
This gives: 

ij_= (5,7,4,6,3,8,2,1) 

22222222 
128 = 4+5+1+2+2+2+5+7 

Taking into consideration all possible combinations of left and 
right multiplication by ^ gives four permutations at all. 

4> s = (8,7,1,6,3,5,2,4) 

22222222 
128 = 7+5+2+2+2+1+5+4 

6^= (3,8,5,7,4,6,2,1) 

22222222 
128 = 2^+6+2+3+1+0+5+7 

In Figure 3 . 1 another approach for generating permutations of 
m 2 -weight 128 is seen. We will not go into the details of an 
algorithm that generates a lot of different permutations. Our 
description is only an informal one a more formal treatment will 
be given elsewhere. 

There are important relations between the various weight- 
functions which generally take the form of inequalities. 

Theorem 3.4 Let 4 £ s n ' then 

(U1) 2IU)<; m 2 (6) < 2 (n-1 ) - I (6) 1 

(U2) m 2 U)/n-1 < m 1 (i) <Min {m^), (n-m 2 (6)) 2 } 

(U3) m 2 (6) > IVLax {4/31 (6) ■ ( 1 +1 ( 6) / n) , 21(4)} 

(Durbin-Stuart inequality) 

(U4) I(i) + TU) <m 1 (i) <21(<fc) 

(Diaconis-Graham inequality) 

The Diaconis-Graham inequality suggests that the difference be- 
tween I and m ^ is not very great. The results in Table 3.1 
suggest that H,=° and T are unsuitable for use, having a very 
small range. There remains only m 2 that has the largest range 
and indeed as Lemma 3.3 shows is of a kind essentially different 
from I and m. . 
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Definition 3.2 Let |\ ■ \\ = (a = 1 , 2 , . . . , I,T, »,H) be a weight- 
function on S n (n>1). Then, the map 

f a,n : [ 0' M] * [0,nl] 

where M = Max{ II 4 j| | & eS } and 

3, n 

f a „lr) = | S ( II ■ II ,n,r) | , r e [0,M] 
a f ii a 

is called the distribution-function of l| * II _ . 



From theorems 3.1, 3.2 we know f. (M.), f„ (M.) = 1 and 

I f n i £, f in ^ 

n (0) = 1 ' f i n^ r ^ = 0 if r is an even integer (i = 1,2) 

12 

The distribution-function f 2 n is symmetric about -g n ( n -1) 

Lemma 3.8 f, _(r) = f_ (M_ -r) , r e [0,M_] an integer 
£ f ti z j n ^ / n ^ 

number. 

f 2 n (r) > n-3 for n>4 and r*0,M 2 . 
In Table 3.2 we have computed some values of f^ n ( n -4) • 



r 


■d , n 


r 


0 


1 


M 2 


2 


n-1 


M 2 -2 


4 


3 +ln(n-5) 


M 2 -4 


6 


•|n(n 2 +59) -2n 2 -14 


M 2 -6 



Tab. 3.2 



To compute the distribution-functions of and m 2 by combina- 
torial methods until now nobody succeeded. 
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4 . Statistics 

An example from Kendall [10] p. 3 will clarify the discussion. 
Consider a number of boys (or girls) ranked according to their 
ability in mathematics and in musics: 



Boy ABCDEFGHIJ 

Mathematics U) 7 4 3 10 6 2 9 8 1 5 
Music 0T) 57310196284 



We are interested in whether there is any relationship between 
ability in mathematics and music. In statistics widely used 
non-parametric measures of associations such as Kendall's ~ 
and Spearman's j lead to natural metrics or weight-functions 
on S n . Statisticians most often normalize metrics so that they 
have the properties of a correlation coefficient. The transla- 
tion is the following one: if d is a metric on S n and its maxi- 
mal value is M, define a rank correlation coefficient by: 

M 

Most of the metrics that we mentioned in section 2. were known 
for a long time in statistics as measures of disarray. 



± „ (n -4) 



(Kendall, 1938) 



6 - w L (T-^) 
n 2 - n 



(Spearman, 1904) 



[i 



n 



(Spearman's footrule, 190< 



Most of the combinatorial results given in section 3. are there- 
fore known in statistics, e.g. nearly all results of Davison 
[5,6] . 
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We look at weight-functions now from the point of view of 
probability theory. Then S n is the sample space and a weight- 
function is a random variable on that sample space. We assign 
the probability 1/n! to each event (permutation) in S n - As can 
be seen from a graphical representation the distribution of the 
weight-functions corresponds with the normal curve. A limit 
theorem for tl • |l -j- and II - II T was given by Feller [8], p. 256, 
what concerns II • II,, , II * II L the limiting normality was proved by 
Kendall [10] Chap. 5.8, p. 72 by computation of higher moments 
or one can use Hoeff ding's [9] Th. 3, p. 560 combinatorial cen- 
tral limit theorem. In Table 4.1 mean and variance of m^m^I 
and T are given. Its now very easy to calculate approximately 
the number of permutations ^eS n with r^< II i\\ a <r 2 (a=l ,T,m 1 ,m 2 ) . 
Let 

V, ~ (E (ll- llg)f 1) 
( V«r (H- 0 Vi 



( Var ( II • H J ) ^ 



then we have approximatively 



A 



I 



± X 3 " 
Z 



permutations ^ eS n with r^< || 41/^ - r 2" 



(1) 



weight- function 


mean 


variance 


m 1 


3<n -1) 


2 3 ^ n . 2. 
j^n + 0(n ) 


m 2 


1 < 2 , , 

-g-n (n -1 ) 


,n -n,2 . 1 
1 6 ' n-1 


T 


n-log n 


log n 


I 


1 2 
4 n 


1 3 
36 n 





Tab . 4.1 



In Table 4.1 for T, I only the leading terms of the mean and 
variance are indicated. The results in Table 4.1 suggest again 
that m 2 should be preferred. Of the four metrics m 2 has the 
greatest variability. 
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From the report of Beth et al. [2] we have taken the distri- 
bution of m 1 on Sg and listed in Table 4.2. In Table 4.3 we 
have calculated that distribution by formula (1) by means of 
a HP25 pocket-caluclator . In comparison with Table 4.2 it be- 
comes quite clear that for all practical purposes such an ap- 
proximation is good enough. 



-weight 


score 


m^ -weight 


score 


0 


1 


20 


5708 


2 


7 


22 


5892 


4 


33 


24 


5452 


6 


1 1 5 


26 


4212 


8 


327 


28 


2844 


10 


765 


30 


1764 


12 


1523 


32 


576 


14 


2553 






16 


3696 






18 


4852 







Tab. 4.2 Distribution of m. on S 



m 1 -weight 


approximate score 


true score 


error in % 


22 


6551 


5892 


+ 11 


22 - 24 


1 2006 


11344 


+ 6 


22 - 26 


15957 


15556 


+ 2,5 


22 - 28 


18274 


1 8400 


- 0,7 


22 - 30 


1 9433 


20164 


- 3,6 


22 - 32 


1 9920 


20740 


- 4 


32 


487 


576 


- 15 



Tab ■ 4.3 Normal approximation to the distribution 
of m. on S Q . 
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The distribution of m_ on S is known for n = 4-13 from tables 

1 n 

given by Kendall [10] (Appendix Table 2, pp. 174-177), if 
n > 14 then the normal approximation is good enough. 

5 . Testing a t.d.m. -system . 

We look at an example given by Beth et al. [2], pp. 136, 140. 
Six different texts together with their intelligibility 
and the permutation used for scrambling are listed in Table 5.1 . 
This gives the following ranking. 

ties 

12 3 4 5 1/2 5 1/2 

1 3 4 5 2 6 

where equal weights of the last two permutations give rise to 
ties . We then have 

P = 1 - — = 0.56 

35 

where the rank correlation coefficient ^ is modified because 
of the tied ranks (see Kendall [10] Chap. 3). The standard 

error of ^ is yg- = 0.45. Thus the observed value is 

0.56/0.45 = 1 .24 times the standard error. This 'is barely 
significant . 



text iio . 


permutation 


intelligibility 


m^ -weight 


1 


(1,2,3,4,8,6,5,7) 


1 


6 


2 


(7,1,3,4,5,2,6,8) 


3 


1 2 


3 


(7,2,6,3,4,5,8,1) 


4 


20 


4 


(6,4,8,1 ,2,7,3,5) 


5 


26 


5 


(5,6,7,8,1,2,3,4) 


2 


32 


6 


(6,5,8,7,2,1,4,3) 


6 


32 



Tab. 5.1 
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Rank order statistics are thus well-suited for use in testing 
a t.d.m. -system. What concerns refinements and further possi- 
bilities we refer to Kendall [10]. We emphasize that a thorough 
testing of a t.d.m. -system should improve its security. 
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SECURITY OF TRANSPORTABLE COMPUTERIZED FILES 



A. Bouckaert, M.D., Ph.D. 
School of Public Health 
Catholic University of Louvain 
B-1200 Brussels, Belgium 

1 . SCAMPI ( Starting on conception automatic medical profile of indi - 
vidual ) 

The SCAMPI system is a generalization of the personal medical file. 
It includes features like transportability, continuous update, pro- 
tection of confidentiality, unerasability . As a distinctive charac- 
ter, it includes a summary of pregnancy and birth as its first subset. 
Other points of interest, together with the main specificities of the 
system are described below. 

A) The file is stored on a floppy disk belonging to the patient (ID). 
Since the data were coded using a binary conversion, they are dif- 
ficult to understand without a specific program. This specific 
program is not the patient's property. It includes a double key 
requiring for each access the simultaneous agreement of the pa- 
tient and of the "master of the data". The meaning of "master of 
the data" and "owner of the program" will be made explicit later 
on . 

B) ID is entirely made of records made by persons who are generally 
medical doctors, or medical personnel. Those data producers will 
be considered as "masters" of the data they have produced (and 
recorded), i.e. of a sub-ID. 

For example, the gynecologist is the master of the data he fed 
into the file during pregnancy. To be master is to be responsible 
and co-owner. 

Consequently, any ID can be broken down into sub-IDs with diffe- 
rent masters, each one being co-owned by its master and by the 
ID owner. For example, in the sub-ID dealing with birth, data 
were produced by the gynecologist but also by the anesthesist and 
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by the pediatrician. These three persons share the medial secret 
of the sub-ID together with their collective co-ownership of the 
sub-ID according to the traditional rules of shared medical se- 
crets . 

An integral copy of the ID is produced together with the ID it- 
self. While it seems to be wise to ask to the family doctor to 
keep the copy, a more complicated system will actually be des- 
cribed in the next section. 

The family doctor has no right to access the whole ID but only a 
subset defined by the validity extent of the double key patient- 
master . 

The only program allowing to read the whole ID is the property 
of the designers of the SCAMPI Software. However, even that. per- 
son is not likely to be able to read the ID completely very often 
since this would require prior communication of the key of the 
patient and of all the keys of the masters. 

Data entry, display and update require the use of a PASCAL code. 
The PASCAL source is never communicated to data producers or 
owners. Hence; no paper or other visual memo will allow to break 
the rules of double keys by additional programming. Each sub-ID 
is accessed by a different program. Programs belong to three main 
classes : 

1° data entry, cheking, copy (for medical practitioners) 
2° administrative forms production (for public services and hos- 
pital administrators) 
3° statistics (for epidemiologsts and public health managers). 

Classes 1° and 2° are subjected to the traditional rules of medi- 
cal ethics. Class 3° falls under the jurisdiction of the statis- 
tical secret. The latter is no less exacting than the medical se- 
cret since it requires for example a programmed deletion of all 
identifications, as well as special measures of protection 
against indirect identification that will be discussed below. 

Since January 1st, 1984, the first program of class 1° with ID 
production is run in the obsetrics department of the St. Luke 
Hospital in Brussels. By the end of 1984, that program will be 
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complemented by others belonging to classes 2° and 3°. A postneonatal 
pediatric follow-up will then become mandatory (immunization timetable, 
growth charts). It seems that SCAMPI can be expected to result into 
significant consequences in at least three fields : 

1) Prom a medical point of view, a pediatric follow-up and a feed- 
back between obstetrics and pediatrics can be obtained without 
any additional clerical work. 

2) For administrators, the system could mean considerable improve- 
ment since the six to eight forms that are routinely produced 
now by hand for each birth will now be produced automatically 
with no limit on the number of copies. Important also for public 
health, the compulsory linkage between birth premium and a mini- 

- mum number of prenatal visits can now be more easily and reaslis- 
tically enforced. 

3) As a social consequence, the ownership of the data about her own 
pregnancy is a modest but real increase of the mother's responsa- 
bility and autonomy. 

2. DATA ENTRY 

The SCAMPI development was initiated by a PASCAL program used on the 
micro-computer Apple II for the obstetrics department of the St. Luke 
Hospital. The program runs interactively for data entry, storage, re- 
trieval, corrections. 

Two kinds of data are fed into the micro-computer during birth : 

a) A pregnancy record (about 300 pieces of information) extrac- 
ted from the hand record just before it leaves the department 
to be included in the Central Archives of the hospital. 

b) A birth record (about 100 pieces of information) whose data 
are entered in real-time, and including an anesthiological 
sub-record . 

While the child stays in the neonatal department, the past part of 
the data is entered. Neonatal data entry cannot proceed later than 
the departure of mother and child from the hospital. Informations 
communicated by neonatal metabolic screening (PKU, hypothyroidism) 
will usually not be available at the time and will have to be ente- 
red later on. 
Interactivity means e.g. 
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a) That logical mismatches or impossibilities are diagnosed and 
their entry into the file is prevented. 

b) No missing data should be tolerated. Partial filling of a file 
for one birth precludes data entry for the next one (but for 
special procedures unknown to common operators). 

c) Data are stored on floppy disks. They can be retrieved, dis- 
played, altered. 

d) The same program uses the same data in text -processing mode 
to print a letter to the family doctor. 

This program (PETERPAN) was produced by a general PASCAL program 
(GENFORM) used to generate interactive questionnaires defined para- 
metrically GENFORM (except some -minor improvements) was written in 
1982. It requires comments, controls and some other parameters to be 
able to produce any computer questionnaire. GENFORM was used for a 
variety of medical problems (leprosy, school medicine, dental health). 
Data stored on floppy disk are first grouped into the PASCAL "record" 
structure. The record includes all data stored in a "packed array of 
CHAR" except anesthesiological data (REAL) and identifications 
(STRING). About 100 records can be stored on a signle-density Apple II 
diskette. Replacement of STRINGS by numeric codes for identification 
allows the content of the floppy disk to reach 200 records. A floppy 
disk with PASCAL formatting and one single record is given to the 
mother when she leaves (ID of child). 

3. FOLLOW-UP 

The ID follows the child for all its life, growing at the same pace 
as it grows. It conforms the first day of its production to the two 
rules of patient ownership and shared use by programming. 
Shared use means : 

1) To read the ID, one needs as many programs as there are sub- 
IDs. 

2) As a rule, any data producer owns the program that allows 
him to visualize the data he entered by himself. 

3) Moreover he is entitled to read the data entered by other 
producers so far as this does not require another program in 
addition to his. 



420 



Traditionnally , and leaving aside any technical consideration, it is 
accepted, that the medical secret is shared if this can be of any use- 
fulness to the patient. The pediatrician is entitled to know what 
happened during pregnancy to the child he treats. This is no more a 
break of confidentiality than the usual rule of medical practice de- 
manding that all data that could possibly be of interest to the phy- 
sician in charge should be communicated to him. The same reasoning 
leads to other evidences : the proper treatment of the child does 
not require a full knowledge of the gynecological past of the mother. 
Since this is no more in the utmost interest of the patient, it is 
actually forbidden and should be made technically unfeasible by 
appropriate software or hardware protections. 

The same rules hold true for the information flow through pediatrics 
and school medicine. 

4. INFORMATION SHARING 

Some data deserve special consideration, like the neonatal metabolic 
screening results and the immunization timetable. The diagnosis of an 
inborn error of metabolism should be considered as a medical emergen- 
cy and the relevant information should be communicated by phone or by 
fast mail to the family practitioner. Changing house or changing of 
family doctor at the moment of communication can be very hazardous 
and threaten to reduce the benefits of screening to nil. It is sug- 
gested that some device should be used to signal the temporary igno- 
rance of the screening results. Since these results are usually not 
yet available in the hospital, and since communication between screen- 
ing labs and hospital are likely to be faster than between lab and 
family, the ID copy of the hospital will signal by a "red flag" that 
the screening produced pathological results requiring immediate care. 
As soon as the hospital doctors are confident that a proper treatment 
has been started, the "red flag" is replaced by the identification of 
the family doctor, the screening results and the opening o'f a special 
subfile for subsequent biochemical controles. 

A similar system can be used with the patient's ID in order to avoid 
interfering with the immunization timetable. 
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k.i. Ownership and use 

Use and ownership are kept separate. The child (and up to the adult 
age, his legal representationes i.e. his parents) is the owner of the 
ID. But he receives nc program that would enable him to read it. He 
is also supposed to maintain the physical integrity of the ID. Copies 
will be supplied to compensate for loss or destruction but this will 
be charged to the owner in order to discourage carelessness. 

The user can read all the data he produced himself as well as the 
data shared by other producers, and with the taking into account the 
programmed compliance with medical confidentiality regulations. Any 
copy to a central file (as would occur for scientific processing for 
example) requires that identifications should first be cleared. 
Some users are completely outside of the medical secrecy. Hence their 
share of the data is narrowly limited. 

For example, hospital administration, insurances, the Ministry of 
Health and the town administrations can be allowed to a specific 
subset of the data without any medical connotation, related to accoun- 
ting and certifications. 

One of the long-term objectives of SCAMPI is to ban hand copies from 
the processing of medical informations. 

4.2. Advantages and inconveniences 

a) Increased productivity of the hospital manpower. 

Clericals tasks and, prominently, hand copies, were consuming a 
disproportionate share of their time availability. 

b) Information persistence : In the present situation, a large per- 
centage of medical information can be considered as lost within 
a few years. To support this opinion, it is well known that the 
praediatrician has to trust the mother's memories at the first 
visit in school medicine in order to learn the borth weight of 

a child. Later on, those information losses will grow worse and 
more expensive (E.g. some cases of PKU went three times through 
the diagnostic procedure and the parents are still not aware of 
the specific risk at the time of the next pregnancy) . 
As a rule, the multiplication of diagnostic procedures in pa- 
tients whose previous results were lost contributes for a cer- 
tain degree to the costs of our expensive medical system. 

c) Scientific use of information : Most retrospective epidemiologi- 
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cal studies are plagued by the inacurracy of collected data. 

d) Threats : Floppy disks, cannot be seriously contemplated as long- 
terra information supports. Hence, they should be dropped from the 
SCAMPI system as soon as possible. A satisfactory support should 
fulfill at least the following requirements : 

1° not erasable (READ ONLY) 

2° not alterable 

3° cheap 

4° transportable 

5° inexpensive retrieval 

6° obsolescence-protected by being readily transferred on a new 
storage medium 

( N.B. : The "smart card" could probably meet those requirements) 

e) Threats : The impression of confidentiality for non-computerized 
medical records reflects principally their heterogeneity and 
systematic loss. Abuses are 'uncommon because information synthe-. 
sis is as difficult for abusers as it is for legitimate users. 
As soon as the ID can be accessed, the potential profit of abuse 
increases dramatically. 

Summarizing, the medical secrecy of non-computerized records is 
usually the secrecy surrounding information already lost. 
Problems of security are likely to be met as soon as the informa- 
tion is available. Potential abusers include business, insurance 
companies, security agencies. 

f) Conclusion : In order to earn acceptability, SCAMPI needs effi- 

cient coding procedures. These procedures should be 
allowed to evolue at the same pace as the cryptolo- 
gical art since no absolute protection is known. 
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4.3- Medical Secrecy 

The very old concept of medical secret is a particular by sensitive 
aspect of professional secret. 

The interests of patient and society are best served if information 
collected in the course of medical activities is kept secret, and 
this has been acknowledged for centuries. The medical secret is not 
only binding for the doctor but also for all persons that happen to 
be drawn into it (family, colleagues, medical personnel). Secret 
sharing by medical practioners is a natural complement of the medi- 
cal secret since there is no other way to allow the patient to bene- 
fit from the diverse experience of the medical community. Its limits 
are consequent to the well-understood benefit of the patient : RX data, 
are obviously to be shared with the surgeon while psychiatric data 
are not to be communicated to the dermatologist. 

Moreover, the patient has no right to allow disclosure of the medical 
secret whose provisions can only be lifted by a higher imperative 
justified by patient and society benefits. To accept the patient's, 
right to lift the secret would obviously make him vulnerable to 
blackmail. 

Since the principles are clear enough, and received detailed legal and 
jurisprudential treatment, their translation into software should 
still be realized. Such a translation will make sure that no confu- 
sion arises between normal secret sharing between colleagues and 
criminal secret violation. 

4.4. Notary 

In the present situation, the medical secret is kept by the doctor 
and follows him in the grave. This is clearly information spillage 
and dees not agree with our general concept of ownership of the data. 
A computerized protocol of data communication can be implemented that 
is activated not only by the patient's decision of going to another 
practioner or by the loss of ID copy but also by the death of the 
practitioner . 

Generalizing, it amounts to using a medical notary rather than the 
family doctor as the respository of the integral ID. 
Such a move involves more than just a change of denomination. The 
functions of keeper and user of medical information are more clearly 
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dissociated in the person of a medical notary than they could be in 
a medical practitioner. 

Moreover, the medical notary does not need to be one physical person. 
It seems specially attractive to consider the case where two physical 
half notaries must cooperate. Each half notary owns a half ID and the 
addresses that allow the merging of the two halves and each halfnota- 
ry is aware of the identity of his counterpart. 

No program allows to read the complete ID. The halfnotaries can only 
use programs that allow to merge specific parts of the ID as a pre- 
l'iminary step towards data communication on authenticated request of 
both patient and doctor. 

it. 5. ~ The dictator 

A dictator is useful to access some data of the ID without prelimina- 
ry agreement of patient or doctor. The dictator's usefulness is ob- 
vious in cases of unconsciousness, emergency, etc. ... Many deaths 
or severe injuries result from the difficulty of communicating with 
unconscious persons. Most frequently, this occurs with brain damage, 
uraemia, metabolic shock . . . and these emergencies are routinely 
neglected because they are misclassified as acute alcoholic intoxi- 
cation. In large towns of the West, problems like drug, AV block, 
diabetes, are likely to be met with increasing frequency as a result 
of medical progress and social involution. 

The dictator is able to read some informations (related to drug al- 
lergies, blood groups, previous diagnoses of shock). Any dictator's 
access should be authenticated and identified; the dictator will be 
held responsible of his actions before the appropriate jurisdictio- 
nal court . 

4.6. Transfers 

A specific physically unique localization is unnecessary for the ID. 
It is sufficient to be able to assemble its halves, possibly by tele- 
communication from the halfnotaries. 

b . 7 . Benefits and inconveniencies 

The legal concepts that call for data encryption can also be invoked 
for new definitions like the medical notary and dictator. The theo- 
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retical legal basis of these concepts should be carefully investiga- 
ted at the sanae time as the relevant software is developed. 



ENCRYPTION AND KEY MANAGEMENT FOR THE ECS SATELLITE 
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ABSTRACT 

This contribution describes the encryption and key management 
techniques realised with prototype hardware by British Telecom 
Research for use on the SatStream service offered on the 
European Communication Satellite. The security objectives, 
channel unit functions and operation, encryption methods and key 
management systems are described. 
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INTRODUCTION 

British Telecom International's European SatStream service (1) 
will offer business telecommunications by satellite- This 
service will include digital single-channel-per-carrier and 
continuous mode frequency division multiple access links via the 
European Communication Satellite (ECS) . The broadcast capability 
of SatStream allows customers' transmissions to anywhere in 
Europe with relatively small and cheap earth stations. This is a 
significant advantage over the terrestrial network, but at the 
same time it makes the links more vulnerable to eavesdropping. 

The unauthorised reception of SatStream traffic would require 
considerable expertise and financial investment; nevertheless it 
was decided to develop an optional encryption facility to 
provide for the total security of sensitive customer data when 
this is required. This facility renders the data on the 
SatStream link entirely unintelligible to all except the 
intended recipient stations. Similar encryption facilities have 
been defined for the United States Satellite Business Systems 
(2) and French Telecom 1 (3) business satellites. 

SECURITY OBJECTIVES 

The SatStream encryption scheme is designed to meet the 
following security objectives: 

-To render customer data transmissions unintelligible to 

unauthorised receivers, 

-To prevent inadvertent transmission of unencrypted data 
even under equipment failure conditions, 
-To prevent theft, unauthorised use, or unauthorised 
modification of cryptographic equipment while installed, 
-To prevent unauthorised disclosure or modification of 
sensitive data (plaintext, unencrypted key-variables....) 
while in cryptographic equipment, 

-To support secure key-variable generation and key-variable 
management . 

These principles were kept constantly in view during the design 
of the earth station baseband channel units which incorporate 
the encryption facility. 

CHANNEL UNIT BASEBAND FUNCTIONS 

The British Telecom baseband channel unit for the SatStream 
service consists of transmit and receive half units. Each half 
unit may be used independently of the other, and this is of 
importance since one of the SatStream service options requires 
the ability for one transmitter to broadcast to a number of 
receive-only stations. 

The transmit half unit performs the following functions: 

-Synchronisation to the incoming user data, which may be in 
CCITT G703 format ( 64 kilobits per second codirectional ) 
, X21 format ( nx64 kilobits per second, where n = 2 to 30 
), or G732 format ( 2.048 Megabits per second ), 
-Conversion of the incoming data to a G732-like framed 
structure if it is not already in that format, 
- Calculation of the encryption parameters and insertion 
into the G732-like format at multiframe level. 
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-Encryption of the user data, 

-Transmission of the encrypted data in the G732-like 
multiframe format. 

The receive half of the unit performs a complementary set of 
functions to those of the transmit unit, namely: 

-Synchronisation to the incoming data with the G732-like 

multiframe format, 

-Recovery of the encryption parameters from the multiframe 
structure, 

-Decryption of the data, 

-Output of the recovered data in its original G703, X21 or 
G73 2 format. 

A block diagram of these functions is set out in figure 1. Some 
further baseband processing is also performed on the data before 
it is passed to the earth station modulator or received from the 
demodulator, in particular half- rate error protection using the 
Viterbi Forward Error Correction algorithm is applied to all 
data. Data is also scrambled to remove long strings of binary 
' 1 ' s or 'O's, or short cyclic periodic structures embedded in 
data, since data with these characteristics would cause problems 
over the satellite link. 

FRAME AND MULTIFRAME STRUCTURE 

All data flowing over SatStream links is structured into a 
format similar in conception to the CCITT G732 specification as 
used in the 30 channel Pulse Code Modulation ( PCM ) systems in 
the terrestrial network, but with certain important 
modifications. This structure is used to advantage to the ensure 
reliable operation of the encryption system. 

The structure is shown in figure 2. Each data frame comprises 64 
time slots ( or bytes ) of 8 bits each, thus each frame is 
effectively a 'double' G732 frame ( one 'odd' plus one 'even' 
frame in G732 terminology ) . All the time slots within the frame 
contain customer data apart from four time slots reserved for 
special purposes. These are time slot (TS) 0, which contains the 
frame unique work, TS16 with TS48, which may be used for 
signalling information, and TS32, which contains message fields. 

The 512-bit frame thus contains (64-4)x8=480 bits of customer 
data. Customer data presented in G703 or X21 format is therefore 
subject to an expansion of 32/30 over the satellite path, 
while data already in G732 format remains unexpanded. The frame 
unique word contains a fixed 7 bit code, the presence of which 
denotes the first time slot of a new frame. 

A multiframe is defined as 64 frames, and a fixed multiframe 
unique word is carried in time slot TS32 during the course of the 
multiframe. Other TS32 bits are used to convey Initialisation 
Vectors (IVs) for encryption synchronisation, the identification 
of the encryption key-variable in use, and the identification of 
the transmitting station ( 16 bits ) and station channel unit ( 
8 bits ) . 
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ENCRYPTION FACILITY 
Design 

The encryption facility on the channel unit is designed for very 
high security against attack by an adversary. This security 
derives from the digital encipherment of the customer data using 
a complex algorithm in stream cipher mode under the control of 
long, random key-variables. 

Encryption method 

The method of encryption is shown in figure 3. The customer data 
( or "plaintext" ) is "Exclusive ORed" with a randomising 
pattern ( or "key-stream" ) from the cryptographic engine to 
produce an unintelligible output ( "ciphertext" ). Synchronised 
'Exclusive ORing' of an identical key-stream at the receive end 
of the link will then regenerate the plaintext. This process is 
termed "stream ciphering" and is well-suited to SatStream 
because the resulting encryption is transparent to customer data 
and it has no error extension property. Each error on the 
enciphered satellite path causes only one error in the 
deciphered plaintext. This is essential in a satellite 
application when high error rates are the rule in fading 
conditions. The stream cipher mode is not self-synchronising and 
an overhead is incurred as a result. 

The equipment on the transmit side thus structures the data and 
forms the ciphertext using keystream output from the 
cryptographic engine, while the receive unit disassembles the 
frame and applies the converse operation to recover the 
plaintext. The keystream pattern is controlled by the 
cryptographic algorithm, the contents of the cryptographic 
engine input register, and by the secret key-variable. These are 
discussed in turn below. 

Algorithm 

The security of the encryption facility is made to depend only 
on the key-variable in use by selecting a sufficiently strong 
cryptographic algorithm. Following normal cryptographic 
philosophy the SatStream facility has moreover been designed so 
that it is impracticable for an adversary to deduce a key- 
variable even given full knowledge of all the hardware and 
quantities of matched plaintext and ciphertext ( "Known 
plaintext attack" ) . In particular, the number of possible key- 
variables is so large that it is computationally infeasible for 
an adversary to discover the key-variable in use by exhaustive 
search . 

The United States' Data Encryption Standard ( DES ) was 
considered for this application but would have caused 
difficulties in supply and uncertainty regarding intellectual 
property. An alternative, unencumbered, algorithm was made 
available by British Telecom Cryptographic Products, which was 
internationally adopted for exclusive use on the SatStream 
service. This algorithm has been called TACA ( 

Telecommunications Administrations Cryptographic Algorithm ) and 
uses a 96 bit key-variable. 
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Encryption synchronisation 

Correct decryption of an encrypted transmission in the stream 
cipher mode requires the synchronised addition of identical 
keystreams at both ends of a link. In particular this implies 
the maintenance of identical entries in the cryptographic engine 
input registers at transmit and receive ends of a link. In 
traditional point-to-point duplex links, this may be 
accomplished by bidirectional set-up protocols. However, 
SatStream services must also support unidirectional and 
broadcast ( point to multipoint ) links, and new receiving 
stations must be able to join a network without disturbing other 
network stations. This problem is overcome by controlling the 
encryption synchronisation entirely from the transmit end of the 
link, through the generation and transmission of an 
Initialisation Vector ( IV ) on each path every multiframe. The 
IV is used to force into a new synchronisation the state of 
every receiving cryptographic engine at the start of each 
multiframe. Thus any receiving station joining into an existing 
network for the first time, or rejoining the network after a 
service break, is assured of rapid synchronisation with the 
transmitting station. This technique may also be used to allow 
multi-destinational links. 

If for any reason the transmit and receive ends of a link use 
different IVs, a different keystream is then applied to the 
customer data and a 50% error rate results. It is consequently 
essential that IVs are strongly error protected in transmission 
since each incorrect IV reception will cause the loss of one 
complete multiframe of customer data. Further complications 
arise from the presence of the Viterbi convolutional coding 
units on the satellite side of the encryption units. The Viterbi 
units generally improve the error rate greatly by correcting 
most of the Gaussian-type errors occuring on the space path, but 
occasionally produce lengthy error bursts. The IVs are therefore 
protected by: 

-The Viterbi units, 

-The addition of a (12,8) shortened Hamming block code 
capable of correcting single errors within any sequence of 
8 IV data bits, 

-The spacing of the Hamming code protected IV bits so that 
a typical Viterbi-type error burst cannot affect more than 
one bit of any 12 bit block. 

These combined measures render the probability of erroneous IV 
reception negligible. 



Key-variable synchronisation 

The same keystream is only produced so long as the same key- 
variable as well as the same IV is in use at both the transmit 
and receive station. The key-variables are changed on a regular 
basis to prevent too much customer data being committed to any 
one key-variable. Synchronised changeover of key-variables is 
therefore required and this is achieved by associating an 
identification number with each key-variable. This number is 
continuously signalled by the transmit station. The key-variable 
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changeover is automatic and initiated by the transmission of a 
new key-variable identifier. The encryption facility retains a 
store of key-variables in semiconductor memory. This allows long 
periods of secure and continuous operation before a new batch of 
randomly generated key-variables need be loaded into the 
encryption unit. The system is further designed so that during 
this period of dynamic key- variable change there are no service 
interruptions or corruptions of the customer's data. 

The key-variable identifiers not only benefit from all the 
protection afforded to the IVs, but in addition the the receiver 
unit will only change to a new key-variable on the receipt of a 
two identical key-variable identifiers which differ from that of 
the key-variable presently loaded into the encryption engine. As 
each key-variable is exhausted it is overwritten and no trace 
remains within the encryption unit, preventing any possible 
retrospective reading of the key-variables. 

KEY MANAGEMENT 

A key-variable management scheme has been designed and built to 
allow for the secure generation of encryption key-variables from 
a truly random source and their secure handling and 
distribution, and to ensure that the correct key-variables are 
loaded into the correct equipment in a timely manner. 

International 

The European offering of SatStream using the European 
Communication Satellite will allow the encryption of 
international as well as national satellite links. International 
key-variable distribution will be achieved in a secure manner, 
with key-variables being protected in transit by a one-time pad. 
International key-variable distribution may also use the more 
automated system described below, which was designed to simplify 
UK national key management. 

UK National 

The key-variables are distributed to the earth station 
encryption units by key guns or key transfer devices. The key 
guns are small hand-held devices capable of holding up to 16 
batches of key-variables with a self contained liquid crystal 
display displaying the station and channel identification for 
each batch. The key guns themselves are previously filled with 
key-variables either at a secure key management centre or at a 
remote location connected to a key management centre by secure 
and encrypted links. Key-variables are generated at key 
management centres using a true random process and are checked 
against known undesirable key-variables to eliminate any 
unfortunate values. Figure 4 shows the key management scheme. A 
small computer system is used as the principal key management 
unit . 

The key-variables are loaded into the encryption units from the 
key guns via a short physical wire link when a manually 
initiated request is received from the encryption unit, subject 
to certain physical controls to prevent unauthorised operation. 
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SECURITY FEATURES 

The security of the earth station encryption unit and the key 
management system are important considerations in a system such 
as that developed for SatStream. The encryption unit is 
incorporated into the channel unit from the initial design 
phase, and it is protected by being encased within a tamper 
resistant module securely embedded within the surrounding 
equipment. 

Key-variable security 

Key-variables may not be read out of the tamper resistant 
module. This module will, on the detection of any tampering or 
attempted removal from the surrounding units, completely erase 
all key-variables contained within itself, while simultaneously 
raising system alarms. Similar considerations have also been 
applied to the key gun, and in this case a facility is also 
provided for complete erasure of all sensitive data by manual 
operator action. 

Bypass 

The encryption unit has been so designed that it contains no 
physical or logical internal bypass paths, since these could 
potentially allow transmission of unencrypted data. Under 
certain failure conditions transmission equipments transmit AIS 
or 'All-Ones' in place of customer data, and this failure signal 
must appear to pass transparently through the entire system 
including the encryption unit. Since the unit has no internal 
bypass circuits an AIS generator is incorporated which takes 
over the encryption unit output if AIS is detected at the input. 
The exclusion of any bypass capablity ensures that under no 
conditions can any unencrypted customer data be transmitted. 

Transmission in depth 

The security of the data is compromised if the same 
cryptographic engine input register state occurs more than once 
within the lifetime of any given key-variable ('Transmission in 
depth'). Special methods are used in the generation of IVs to 
overcome this problem. 

TESTS 

The design and operation of the channel unit equipment and 
associated key management principles have been thoroughly tested 
in both laboratory tests and using satellite links over the 
Orbital Test Satellite ( OTS ) . The encryption methods employed 
have proved to be highly robust and able to accomodate the 
severe carrier-to-noise characteristics encountered on space 
paths, with the synchronisation and error correction facilities 
performing exactly as those which were predicted. The encryption 
facility has been proven not to affect the overall channel error 
rate. 

CONCLUSIONS 

The optional encryption facility developed for the European 
SatStream service offers a very high level of security on the 
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satellite path, backed up by good equipment physical security, 
sound key-variable generation, distribution and management. It 
uses redundancies within the SatStream G732-like data structure 
and so does not require expansion of the existing frame 
structure. It is completely transparent to customer data and has 
no effect on channel performance. It permits unidirectional and 
multidirectional (point-to-point and -multipoint) encrypted 
links without the need for reconfiguration if the number of 
participating stations changes, and represents a considerable 
service enhancement for users concerned about the sensitivity of 
their data. 
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ABSTRACT - To perform message authentication in a telesurveillance system, 
the paper proposes a non linear time varying encryption algorithm, based 
on Key layering in three levels [system key, intermediate Key, running Key) 
and on encryption organization into two or more sets of three operations 
(running key rotation, message digit substitution and transposition). The 
algorithm was designed to be implemented on an 8-bit microprocessor. 



1 - INTRODUCTION 

The telesurveillance system we are concerned with includes a con- 
trol center CCC) and a certain number of environment detection devices [DO) 
located in the places to be Kept under surveillance. The CC asKs the remo- 
te DO ' s ciclically about the parameters they are detecting and each DD sends 
the appropriate answer back taking it from a finite set. The CC and DD's 
can be linked either by a private network or by leased channels. 

To prevent modifications or imitations of the messages interchan- 
ged between the CC and the DD's, an effective authentication procedure is 
needed. Encryption is one of the most effective methods to perform authenti 
cation; for this purpose, the encryption algorithm must meet two fundamen- 
tal requirements: non linearity of the relation between plaintext and cy- 
phertext; time variability of the algorithm parameters. If the former re- 
quirement is met, any intruder attempting message modifications without 
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knowing the secret Key would be unable to make the appropriate changes in 
the encrypted signature required for his modification to escape disclosu- 
re. The Latter requirement is necessary to avoid that an intruder can re 
cord properly encrypted messages and sabotage the system playing them 
back later. 

The encryption algorithm proposed in this paper meets these re- 
quirements and can be implemented on an 8-bit microprocessor. It is based 
on the layering of the key in three levels: system key, intermediate key 
and running key (sec.2), and on encryption organization into two or more 
sets of three operation: running key rotation, message digit substitution 
and transposition Csec.4). The running key consists of segments of the bi 
nary sequence generated by a non linear pseudorandom generator whose para 
meters are functions of both the intermediate and the system key [sec.2]. 
The binary message to be encrypted consists of three fields containing tQ 
lesurveillance, key changing and authentication information respectively 
(sec. 3). Authentication and telesurveillance procedures are described in 
sec . 5 . 



2 - KEY GENERATOR 

Whenever an encryption or decryption operation has to be perfor- 
med in the system, a running key request signal starts the key generator 
shown in fig.1, where M denotes a buffer memory and .G^.G^.Gjj .G^G^ are 
linear feedback shift registers (LFSR). The first three LFSR's have pri 
mitive characteristic polynomials of degree N^.N^.N^ respectively and form 
a Geffe generator ^ , whose output sequence has ^ : equally likely 1's 
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N N 2 N 3 

and O'sj a period equal to 1cm (2 -1,2 -1,2 -1) and a complexity equal 
to N 1 N 2 +CN 2 +1 INg. After each running key request, 8 digits of this sequen- 
ce are generated and written into N to update its content. 

The second three LFSR's, together with the 8-digit delayer D, 
form a modified Geffe generator; the characteristic polynomial of GZ, is 

primitive, while the feedback connections of G.J and G^ and the initial sta 
tes of Gjj , G^, G^ are determined as functions of the content of N under 
the constraints that : the three characteristic polynomials have an odd num- 
ber of terms and fixed degrees NJj , N^, the initial state of each LFSR 

has at least one digit set to 1 . If the polynomial coefficients of G,j and 

i 

G^ and the initial states of G^ , G^, G^ were constant (so as the polyno- 
mial coefficients of G£ are), the modified Geffe generator would generate 

a binary sequence having a period P and a complexity C such that: 

N' N' N' N' 

3(2 2 -1)<P< lcm (2 1 -1 , 2 2 -1, 2 3 -1 } and <C< N^+CN^+I }N^+N^; the 



lowest and highest values of P and C are taken respectively with probabili 

B-N'-N' N ' N ' N'+N'-4 

ties 2 and <p{2 -1)^(2 -U/N^ 2 , where ^indicates the 

Euler totient function. After each running key request, 64 digits of this 

sequence are generated. 

The time varying parameters of the modified Geffe generator are 
changed according to the content of N whenever a given number of digits rari 
domly generated in the CC coincides with the content of an equal number of 
fixed memory cells. 

The system key, which provides the coefficients of the characte_ 
ristic polynomial of G^ , G^, G , GZ, and the initial states of G^.G^.G^, is 
generated by a program fulfilling the requirements that the aforesaid poly 
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nomials are primitive and each initial state vector contains at least a 1 . 
The intermediate key, which provides the coefficients of the characteristic 
polynomials of G^ , G^ and the initial states of G,j , G^, G^» is taken from 
M. The running key consists of the 64 digits generated by the modified 
Geffe generator. 

Since the intermediate key is changed at random, the sequence ge_ 
nerated by the modified Geffe gQnerator is usually aperiodic and it is 
meaningless to define its complexity. 



3 - MESSAGE STRUCTURE 

Every message consists of 64 binary digits subdivided in three 
fields: a 40-digit information field, reserved to the telesurveillance in- 
formation! an 8-digit signalling field, devoted to the transmission of 
key-changing information; a 16-digit authentication field, for transmis- 
sion of authentication information. The information field is subdivided 
in two sectors, devoted respectively to the transmission of CC ' s interroga_ 
tions and OD's answers; the CC uses the second sector too, to transmit a 
replica of the interrogation; the DD ' s use the first sector too, to trans- 
mit a replica of the received interrogation. In the signalling field the 
CC inserts the key-changing signal and the DO inserts a replica of the 

received key-changing signal. The sequence to be inserted in the authent_i 

cation field can be get either by taking the remainder of the modulo 2 di- 

[3 ] 

vision of the d-transf arm of the information and signalling field con- 

tents by a 16 degree polynomial, or as the result of 16 parity checks. The 
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probability that intentional or unintentional message modifications can elu 
de the controls is greatly reduced owing to the high message redundancy 
and check number. 

4 - ENCRYPTION 

Encryption consists of two or more iterations of three operations: 
running key rotation,- plaintext digit substitution; transposition of the d_i 
gits resulting from the preceding operation. Substitution is performed by 
adding modulo 2 each plaintext digit to the corresponding digit of the run- 
ning key [without rotation in the first iteration, and after suitable run- 
ning key shifts in the following iterations); the substituted sequence is 
segmented in eight 8-digit blocks which are arranged in an 8x8 matrix, whi 
le the running key is segmented in sixteen 3-digit blocks. Transposition 
is performed by shifting each row and then each column of the matrix ciclically 
by a number of positions given by the decimal value of the appropriate key 
block. 

5 - TELESURVEILLANCE PROCEDURE 

The CC shares individual system keys with the DD's: the key gene 
rators sharing the same system key evolve synchronously at 64-digit steps , 
generate the same running key and change the intermediate key on the initia 
tive of the CC . 

To interrogate each DD about its state, the CC sends a message 
encrypted with the specific running key. 
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The DO decrypts the message and either verifies that the 16 authen 
tication digits coincide with the remainder of the modulo 2 division of the 
di-transform of the information and signalling field contents by the prefi- 
xed 16 degree polynomial or performs 16 parity checks according to the au- 
thentication approach used in transmission. 

If the message authenticity is recognized, the DO reads the info_r 
mation and signalling field contents. If a Key-changing signal is present 
in the signalling field, the DD gets ready to change the intermediate Key at 
the next running key request. Moreover, the DD prepares a message con - 
taining: the replica of the received interrogation and the corresponding ans 
wer, in the information field; the replica of the received Key-changing si- 
gnal, in the signalling field; and the authentication sequence, in the autheri 
tication field. This message is encrypted with a new running Key. 

Failure of authentication check can be due, or not, to the recep- 
tion of a cleartext by which the CC communicates it did not recognize the 
authenticity of the message previously sent by the same DD. In the former 
case the DD changes the intermediate key and encrypts the preceding messa- 
ge with the new running key. In the latter case, the DD sends a non authejn 
tication message in clear, keeps its key generator up with the correspon- 
ding CD's one by letting it run by 64 digits, and gets it ready to change 
the intermediate key. Both non authentication messages consist of 64 di- 
gits obtained by repeating the DD address a certain number of times. 

An alarm is given in the CC whenever one of the following events 
occurs: lack of DD answer within a prefixed time interval; non authentica- 
tion of three consecutive messages coming from a same DD; alarm indication 
and cansective alarm confirmation from the part of a same DD; a combination 
of non authentication and alarm messages. 
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I ) Introduction 

According to estimates made in 198 3 software manufacturers loose at 
least 50% of their turnover due to "illegal copying" or - to be more 
accurate - to "unauthorized execution" of programs. The problem is 
especially serious in the field of mini- and microcomputers and is 
growing steadily. 

Presently the way to compensate the losses caused by software piracy 
is to raise software prices accordingly. Thus there is an urgent 
need for software protection systems from the manufacturers as well 
as the users point of view. 

In particular there are two up-to-date methods that seem specially 
suited to solve problems like these - smart card technology and 
cryptographic techniques. 

Smart cards, plastic cards equipped with a microprocessor to execute 
special security algorithms and a protected memory to store even 
highly confidential data, present a mean to realize security systems 
of various kinds, that are not only highly secure, but also provide 
a plain and clear user interface. So it is possible for the first 
time to make high level security systems available in everyday life, 
thus meeting the strongly rising security demands the new 
technologies bring with them. 

The software protection system described below is based on CP8-cards 
- smart cards developed by BULL France - and card readers. 

The cards are used in their standard form and linked with the system 
via special software, the card reader is connected to the computer 
via a V.24-interface (RS 232). 

The cryptographic techniques used for protection comprise standard 
methods provided by CP8-cards as well as specially developed 
algorithms. Encipherment and decipherment of data is accomplished by 
the algorithm "C80". 



ID Design Criteria / Requirements 

The central goal of a software protection system is to protect 
software against "piracy". 

A detailed analysis of the problem shows that this does not 
necessarily mean to prevent the production of program copies, but 
rather their illegal use. 

So the first and central goal of a software protection system has 
to be : 

to prevent unauthorized execution of programs. 
Copying is allowed unlimitedly. 
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In addition to the security demands, an up-to-date software 
protection system has to fulfill strong requirements with regard 
to its ease-of-use, applicability and flexibility. 

The software manufacturer needs a system that is 

- of reasonably low cost, relative to the losses caused by 
software piracy 

- independent of storage media 

- applicable independently of the computer manufacturer 

For the software user the most attractive feature of the system 
is that protected software can be sold at a greatly reduced price. 

In order to raise acceptance levels, two additional criteria have 
been demanded for the software protection system presented below: 

- greater ease-of-use of the protected software 

- additional protection of user software and data against 
unauthorized access 



til) The Method of Protection 



Basic Idea 

The software to be protected is connected with a proper, 
specially issued smart card, so that the execution of programs is 
possible if and only if the card is inserted in the card reader. 

As it is impossible to copy smart cards, the software can only be 
executed by users who legally bought a licence and got a card then. 

Copying of programs can be performed unrestrictedly. 

If wanted, several different programs can be associated with a 
single smart card. 
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Protection Mechanisms 

The connection between the software to be protected and the proper 
smart card is established in three different ways: 

1) Repeated inquiries if the card is inserted in the card reader: 

At certain stages the protected software calls the "TELEPASS 
function" that is inherently integrated in every CP8-card. 
Certain data, in our case pseudo random numbers, are transmitted 
to the card, where they are enciphered by a certain algorithm 
under a secret key that is stored in the card, and retransmitted. 

The calling program enciphers the PRN too and compares the 
results. If they are equal the authenticity of the card can be 
taken for granted. 

The use of a new PRN whenever the TELEPASS function is called 
ensures that the transfer of data between smart card and card 
reader is unpredictable and irreproducable . 

So an "active" wiretaper can not break the system by intercepting 
data, storing them and recording them later. 

2) Storing selected enciphered program data on the card. 
The following rules are to be observed: 

- Only those data may be stored that will certainly never be 
changed in subsequent program releases. Else for every new 
program version new cards would have to be distributed. 

- Among others, initial values of variables and data, that are 
needed at highly important program stages, are well suited 
for storage in the card. 

- The data are stored and transmitted in enciphered form. 
Transmission of data between card and program is again 
protected by the use of encryption and pseudo random numbers. 
Deciphering is done either immediately or a while before the 
data are needed. 

3) Enciphering highly valuable programs, storing them on the card 
and executing them in the card reader / card: 

Parts of the software to be protected, that are of particularly 
high value or central importance, are enciphered and stored in 
the card. 

Together with that card the card reader forms an external computer 
that in the present version executes the programs. 

As soon as freely programmable smart cards are available, the 
execution can be performed by the card. 

The communication between the calling program and the external 
computer is again protected by cryptographic methods and the use 
of pseudo random numbers . 
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The Cryptographic Background 



At the heart of the cryptographic algorithms applied in the software 
protection system is the cipher algorithm C80. 

It is used 

to encipher and decipher the program data stored in the card 

to protect the communication between the card, the card reader 
and the calling programs against passive and active wiretapping 

to encipher and decipher the programs stored in the card 

to produce pseudo random numbers 



C80 is a block cipher algorithm that is similar to the DES in its basic 
structure. The left and the right halves of a text are interchanged 
repeatedly and one half is XOR-ed with a binary vector depending on the 
text and the key. A sketch of the algorithm is given in the 
following : 



(Plaintext (2x bit) 




( Ciphertext (2x bit) ) 
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In contrast to the DES C80 does not use S-boxes, permutations or any 
other tables of fixed sizes. 

For this reason it is highly flexible - it employes variable numbers of 
rounds, variable block- and key-lengths - and can be well adapted to 
the special problems. 

A detailed description of C80 and a security analysis are given in 
"Zur Analyse des DES und Synthese verwandter Chif f riersysteme" , 
Thesis, I. Schaumueller-Bichl , Linz/Austria, May 1981. 

For the software protection system the freely selectable parameters for 
the C80 were chosen to decrease computation time and still provide a 
degree of security that is essentially higher than that of the DES. 

As the C80 has approximately the same good error propagation and 
statistical properties as the DES, it can be used also for the 
generation of pseudo random numbers. 

In a very complex way it generates the 48-bit-numbers needed by the 
TELEPASS- function . 



IV) System Properties 

The software protection system we described above meets the 
requirements and design criteria stated in chapter 2: 

It prevents the unauthorized execution of software: 
Like all practical solutions our system does not provide absolute 
and unconditional security. But the degree of security was chosen 
so high that it is considerably easier and cheaper to buy a licence 
or even to write an equivalent program than to copy protected 
software . 

It can be applied by software manufacturers without support of 
hardware manufacturers: 

The method is realized in software, the hardware components required 
(cards and card readers) can be easily connected with the computer. 

It is independent of specific CPU's: 

The system does not make use of special CPU numbers or similar. 
Thus protected software can be executed on each suitable computer. 
This is of special importance in the case of hardware troubles, 
when a computer is to be replaced. 

It is independent of storage media: 

As the system does not physically prevent copying but execution of 
programs the software can be protected no matter where and how it is 
stored . 

Copies can be produced without restrictions: 

The user of a protected program can make as many copies as he wants 
and use any of them for further work without having to perform 
additional procedures. 
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The protection system also provides special advantages for the user 
as side effects of the methods applied: 

- As for the execution of a protected program the smart card is 
absolutely needed, the system provides additionally some 
protection of software against unauthorized access. This is of 
special importance in the case of multiuser systems and computer 
networks . 

It is possible to additionally provide the system with a Personal 
Identification Number (PIN) known only by the user and thus making 
it a real access control system. 

Enhanced ease-of-use: 

A part of the memory implemented in the smart card can be used to 
store several commands that usually have to be typed by the user. 
By releasing the user from these routine functions the ease-of-use 
and consequently the rate of acceptance of a program can be raised 
considerably. 



V) Fields of Application 



The software protection system can be used in a variety of cases: 

Protection against multiple use of a single licence: 

Guarantees the observance of software licence contracts 

Protection of software during and after testinstallations: 

If programs are protected in the way described above, the proper 
card can be returned to the software manufacturer or be destroyed 
automatically after the end of the testinstallation . From that point 
on the software cannot be executed by the user. 

Protection of software during transport: 

As the software cannot be executed as long as the proper card 

is unavailable programs can be sent to a customer e.g. by ordinary 

mail without any further protection. This is especially 

valuable for the distribution of new program releases. 
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Prospects of Application 

As stated above the presented software protection system shows 
several strong points compared to other systems concerning 

security 

universal applicability 

flexibility 

ease of use 

Undoubtedly it also shares the weak points inherent to every 
software protection system, caused by the additionally necessary 
hard- and software. 

For the software manufacturer these disadvantages - having to 
implement and maintain additional components - are fully compensated 
by the protection the system provides for his software and consequently 
by the increase of his turnovers. 

For some software user protected software might be unattractive at 
the first glance as there is no more chance to produce resp. execute 
unauthorized copies for himself or others. But on the other hand 
protected software can be sold at a considerably reduced price, a 
feature that is for the benefit of all users. 

The possibilities to enhance the ease-of-use as well as the security 
against unauthorized access are another crucial reason for a user to 
buy software protected by the described system. 

There is one point left for discussion: the price of the protection 
system and its relation to the software prices. 

The application of the method presupposes the availability of a card 
reader at every PC resp. terminal. 

As smart card technology is very new and card readers are scarcely 
spread, the card readers usually have to be an integrated component of 
the protection system. 

The full costs of this system - including protection software, card and 
card reader - have to be taken over by the software manufacturer, the 
free card reader being another motivation for the software purchaser. 

For this reason the system should presently be applied mainly for 
high-value software. 

The threshold for profitableness is in the average at a price of 3000 
to 5.000 US$ for the software to be protected, depending on the 
expected rate of unauthorized to authorized copies. 
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For the future it is to be expected that card readers - as external 
devices or integrated in terminals - will be a common device of raini- 
and microcomputers as floppy disk drives or printers are today. 
In this case the hardware costs comprise merely the costs for smart 
cards (estimated less than 5 US$ for mass production), so the 
protection system can well be applied also for the protection of 
cheap standard software like textprocessing systems. 

In order to be able to apply the system already now for low cost, 
widely sold software, two ways of proceeding can be conceived: 

construction of card readers dedicated to the specific problem and 
thus available at a lower price 

an agreement between software companies to share the costs for a 
card reader, that can be used for different programs of different 
companies 



Summary 

The protection system presented secures that software can only be 
executed in combination with a specially issued, uncopyable smart card. 
It is realized by software and standard hardware (CP8-cards 
and card readers ) . 

Its high level of security, flexibility and ease-of-use makes it 
interesting for manufactures of software as well as for users. 



SESSION ON SMART CARDS 
TUESDAY APRIL 10 



INTRODUCTORY REMARKS 

by Alain TURBAT 
DGT - Delegation Carte a Memoire 



Since a few years, smart card has began to appear in the field 
of cryptography. Today it is possible to hold a special session of Eu- 
rocrypt 84 on this subject because, after a period of experiments, the 
smart card is now becoming a commercial product, especially in 
France . 



You all know what a smatt card is : this standard dimensioned 
plastic card contains a micro electronics package including a rae;.iory 
and a microprocessor controlling read and write access to this memo- 
ry. 



This new card differs from magnetic stripes cards, not so much 
by its memory capacity, as by its internal computing power, hence its 
name : the smart card. 



Cryptographic computation using personal secrete keys, is possi- 
ble inside the card itself, allowing the smart card to carry out com- 
plex dialogues with the external environment. This permit a high de- 
gree of security in a large field of applications through processes of 
autenthication of the card, identification of the user, confidentiali- 
ty of transmitted information, certification of a transaction by all 
the parties involved. 
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The card internal processing capacity, and its ability to store 
a non erasable record of each transaction provide an unrivaled degree 
of security and performances such that it will, during the coming de- 
cade, become one of the key elements in the expansion of electronic 
funds transfert, as well as an extremely reliable mean of identifica- 
tion for access to buildings, data banks, videotex services, pay TV 
channels and so on. 



It would also be very helpful as a personal electronic file in 
applications that require portability and self contained security, for 
instance in the medical services field. 



Therefore, by making information storage and processing possible 
anywhere, the smart card opens up new horizons in the design of net- 
works, in regard to security and cost. 

In France, the first project coming just now to mass production 
is the smart card payphone project. The French Telecommunications Ad- 
ministration have already ordered more than 10 000 payphones and one 
million cards including 200 000 with the microprocessor monochip desi- 
gned by BULL, which are capable of both payphone and banking functions 
including point of sale, home banking and telepayment . Such a multi- 
function card will be used this year for all these applications in 
BL0IS, in the area of castles on the Loire. 

All the French Banks and Financial Instutions have also decided 
to adopt a mixed smart/magnetic stripe card to be generalized in the 
whole country before the end of the eighties. 

But the subject today is the link between smart card and crypto- 
graphy which will be explained in many details by the different ex- 
perts . 



1 suggest just to listen them. 



SMART CARD APPLICATIONS IN SECURITY AND DATA PROTECTION 



by Jean GOUTAY President de la Societe INFOSCRIPT 
INTRODUCTION 

The several security elements of the smart card are based on 
phisical and logical barriers. 

- Materially , the smart card is a monolithic component including 
a microprocessor and a memory of 8 K bits, this memory -being 
indelible . 

.In addition entry test points have been destroyed before acti- 
vating the smart card. 

.In practice it is impossible to read, modify or duplicate the 
contents of the smart card. 



- Logically , the chip is able to memorize the different wrong 
access attempts and invalidate the electronic circuit after 
three repeated attempts for example or N attempts on the 
whole . 



Let's see in addition that the dialogues between the chip 
and the exterior depend on a random value, which is a known 
element of security and a protection against the passive 
intrusion and possibilities of simulation. 

- What are the uses of the smart card, specially in matter of 
protection of information and more generally in security ? 

They concerned : Identification 

Authentication 

Enciphering and key management 

They allow the security of : 

- The access to premises or to a network 

- the payment at P.O.S. or at distance 

- the transmission in networks, electronic 
messeging for instance 

- access to services such as: broadcoast 
videotex or toll TV, interactive videotex, 
database. 

First let's look at the different uses of the smart card. 



1 . Portable Protected Data 

- The smart card contains a memory not very big (from eight to 
sixteen K) but protected against the exterior by a micropro- 
cessor (or a firmware) and It is possible to store in it clear 
confidential data. These data will be accessible only on 
production of a secret code. 

The applications are : protected portative file such asmedicine, 
student portable file, ... 
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- However the smart card is able probably to encipher 
short messages, store and transmit them. 

In particular this system can be used for sending enciphered 
keys at distance. 



2 . Identification 

Thanks to*"the content of the secret and inviolable area in the 
smart card, thanks to computation which remains with in the card, 
it is possible to verify a personal code with a very good security 
and so to identify the card's bearer. 

But a better identification can be obtained by a more secure 
storage of patterns bounded with physical characteristics of the 
person, such as : 

- the finger prints 

- the speech 

- or the dynamic signature. 

3 . Data Authentication 

After data compression by an algorithm (hash code, ...). 
it is possible to compute and to store in the smart card an 
"electronic signature", function of this compression and of the 
transmitter identity. In another connection this signature is 
added to the original text, a fact wich permits the verification. 

This process can apply for the certification of accountant, 
original documents, banking orders and transfers, files and 
software, at different levels of development for instance. 



4 . Software protection 

In matter of software protection, several systems can be envisaged, 
wether at the transport level with the encipherment of the soft- 
ware and the deciphering key stored in the smart card 

or at the level of running with computation elements in the 
program requiring the presence of the smart card 

or with holes in the program which can be restored with 
the smart card only. 

It is easy to see the applications in the domestic computers 
area or in the area of video cassettes. 

We can see in this case that decoding must be put at the monitor 
level . 



Now let's see other applications. 
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5 . Reciprocal recognition and access control 

A simple algorithm computed in the card permits verification, 

with a random value E , that the two cards are well matched, 

e.g. R = R u . 
3 a b 

Whether in the case of the access control to premises, or a 
network or a data base. 

In the network case, every passive intrusion on the line does 

not allow either listening or simulation orre-use of the dialogue, 

the informations being completely random. 

In the case of access control, the combination changes at every 
access because the key R is fugitive. 



6 . Card authentication by general system 

Another application can be the recognition of the smart card 

by the system, that is to say it's authenticity, based in theory 

on public key use. 

Using a random nessage M , the system computes 
C = f (M), f being the public key. 

C is transmitted to the card which contains the secret 
part of the function. 

The big advantage is that the system, which can be a general 
public terminal, doesn't require any secret function. 



So in the case of electronic payment at point of sale, the system 
verifies : - the authenticity of the smart card and of the bearer 

- the guarantee limit 

- possibly the black list. 

Let's see in this case that the card allows the management of 
several access codes : banker code for the valorization, 
bearer's code, service providers codes ... 

But the possibilities of the smart card are even more interesting 
in the networks, in matter of security. 

In addition to the previously described functions, they allow the 
automatic logging the management of preloaded credit fields and 
if they can't encipher at this moment they provide solutions to 
the delicate problems of key management. 



7 . Exchange ol enciphered data 

With a generator of enciphered bits and a random number E , 
messages can be enciphered thanks to the smart card along a 
network, with keys R which can be changed at a desire frequency. 

In particular the enciphering algorithm A can be very simple. 

This system can be set up on any enc i pherment equipment in networks 
and provides a solution to delicate problems of key transportation. 
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One application is given in electronic mail where the cards are 
used for reciprocal identification of interlocutors and encipher- 
ment of informations by fugitives keys. 



Let's see now very present applications. 



8 . The telepayment 

The first wordwide experiment of telepayment has been in Velizy, 
near Paris, "TELETEL" and allows a suscriber to make from a 
videotex terminal, the minitel : 

- the bank statement display 

- the remote cash transfer 

- the telepayment of goods providers 

as retraiters La Redoute . 



The smart card (with it's reader) consequently permits : 

- the sure identification of the suscriber 

- the encipherment of messages on line and generation 
of "certificates" ensuring it's integrity ang giving 
the proof that the information is well registered 
in the card. 

All is in an environment at distance non controlled. 

The security of the system is based on the exchange of fugitive 

random keys. 

Another system of telepayment wouldbe possible. 

With the use of public keys and the signature of the messages 
by a secret key of the user, whose the public part, signed by 
the key of the bank, would be transmitted previously by the 
user. This system does'nt require any black box at the central 
processor . 



9 . Protected electronic messaging. 

General systems can be envisaged to protect in addition infor- 
mations during the storage in the mailbox of the service 
computer . 

It is possible for example to encipher on line the data, and 
to decipher them immediatly with synchronous mode, finally to 
encipher again with another key for the storage. 



It would be possible also to envisage another scheme with the 
use of public key for authentication of the transmitter, but 
also for transportation of the random key the message being 
enciphered it self with this key changing at every message. 



463 



10 . Broadcast interactive videotex 

In the case of access to toll services , whether broadcasted 
programs or videotex services or data base, we have two possible 
systems : 

- one using the preliminary enciphering and decoding informa- 
tions thanks to the smart card for those who have paid? 

- the other one ( pre-payment ) permitting the access to the 
services after having destroyed bits area in the card, 
previously credited. 



In conclusion, by its vast possibilities not yet explored, 

the smart card open new vistas in matter of security, networks 

and data protection- 



Thank you for your attention. 



BULL CP8 SMART CARD USES IN CRYPTOLOGY 



Yves GIRARDOT 

BULL CP8 

rue Jean Jaures 

78340 LES CLAYES SOUS BOIS 

FRANCE 



ABSTRACT 

The CP8 smart card has memory and intelligence. 

These two characteristics joined to its technology, make of it an unfraudable 
and unduplicable portable strong box. 

Thus CP8 is a very secure and convenient device to transport, generate or trans- 
mit crypto! ogic keys or data. 



THE CP8 CIRCUIT 



The CP8 circuit designed in FRANCE by BULL, is a monolithic silicon chip, con- 
taining an eight bit microprocessor, three kinds of memories, and alimentation 
and dialog interfaces. 

- The 36 bytes RAM memory is a scratch one, whose content is lost when the cir- 
cuit is not powered. 

- The 1,6 K bytes ROM memory is an unerasable one. This memory is loaded during 
the fabrication of the chip itself, and contains a software corresponding to 
the intelligence given to the circuit. 

Each kind of software called "mask" corresponds to a specific array of appli- 
cations such as payment, toll television, software protection, etc... 
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- The 1 K byte PROM memory is the application unerasable storage memory- This 
memory is empty at the fabrication of the chip, and is loaded later during the 
different steps of the life of the circuit. 

A very important and specific characteristic of the CP8 circuit concerning se- 
curity is the fact that writing in the PROM memory is totally control ed by the 
microprocessor. Thus the CP8 circuit is a "self-programmable" one. 

- Communications with the CP8 circuit are insured by only six points. 
Powering needs three connexions (ground, logical tension, writing tension for 
the PROM). 

Operating the chip needs two signals coming from the outside (initialization 
and clock) . 

The dialog itself is done by only one connection is an asynchroneous bidi rec- 
ti onnal way. 

THE CP8 SMART CARD 

The CP8 SMART CARD is a plastic ISO card in which a CP8 circuit is embedded. 
Connections with the circuit are insured through a round printed goldered patch 
divided into 8 zones (6 only are used). Yet for special applications it is pos- 
sible to insert the CP8 circuit on various different supports such as ticket, 
jock, pen, key... 

PROM MEMORY 

The PROM memory contains 256 words of 32 bits, and is divided into several zones 
corresponding to different uses and accesses modes from the outside of the card. 
The lengths of these zones are parametrable. 
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- The SECRET ZONE is impossible to read from outside the chip, either by logical 
or physical way. 

The logical protection is insured by the microprocessor and its associated 
software located in the ROM memory. 

The physical protection is due to the technology chosen to built the circuit. 
This zone is loaded by several keys (fabrication, issuer, user's key) and by a 
secret which is a pattern of about one hundred bits (3 words of 32 bits). 

- The ACCESS ZONE is a service one, in which are memorized accesses using the 
issuer's or the user's keys. 

This memory allows to count good or wrong submitted keys, and to lock the cir- 
cuit in case of several wrong tentatives (usually three). 

- The CONFIDENTIAL ZONE can be read if the good issuer's or user's key is given. 
It contains generally personal or sensitive data. 

- The TRANSACTION ZONE is used during the current life of the card. This zone 
can be read or written, with or without a key, according the application. 

- The FREE ZONE can be read without any key and contains non sensitive data. 

- The FABRICATION ZONE is a service one. It contains data related to the nature 
of the card and to the organization of its PROM memory. 

ROM MEMORY 

The ROM MEMORY contains three kind of programs : 

- Service programs dealing with all what is necessary to initialize and cur- 
rently use the card. 

- Security programs insuring a very high level of security by checking flags and 
data, in order to detect abnormal or frauduleous operations. 
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- A program corresponding to the implementation of an algorithmic function, to 
be executed in the card itself 

One of these algorithms is the TELEPASS one-way function. 
A result R (64 bits) is obtained given three inputs. Two of them are taken in 
the card. The secret S (96 bits) and an Identifier I (32 bits) located at an 
address i to be chosen. 

The third parameter E (64 bits) is given to the card. 

R = f(Ei, I, S) 

CP8 AND SECURITY 

CP8 is a very high security card 

This is due to its architecture, its technology and its unerasable undupli cable 
memories (resistant to magnetic fields, UV and X rays). 

CP8 allows to treat with a very smart and secure manner classical security pro- 
blems such as identication, authentication, message certification, integrity 
checks... 

Dialogs are randomised using random numbers as input parameters in the TELEPASS 
ALGORITHM, executed simultaneously in the user's card, and in the reference 
card connected to the host system. 

CP8 AND CRYPTOLOGY 

The main problem in cryptology is key management. 

All the security given by cryptologic equipments depends on the protection of 
keys during their preparation, their transport or transmission, their storage 
and their use. 
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- Transport and storage problems can be solved with CP8, considering that it is 
a true portable strong box to be opened or closed by electronic codes. 

The issuer's code allows to load a set of keys corresponding for instance to a 
week, a month, a year, according to the application. 

The capacity of the card represents for instance 50 keys of 150 bits, to be 
loaded in one or several operations. 

The loaded CP8 container card can be transported or mailed without problems. 
It is an infraudable, induplicable, very convenient, and very secure key 
vector. 

The user's code allows to read the key in the card and to load the cryptologic 
equipment. 

For more security during storage before usage, the user has the ability to 
choose a new user's code only known by him. 

For more security during loading and reading operations, it is recommanded to 
use "habil itation cards" given only to security responsibles. 
These CP8 habil itation cards are able to generate issuer's or user's codes 
from the data contained in the habil itation card itself and in the key vector 
cards. These codes TELEPASS generated are longer and so more secure than ma- 
nual ones. 

- With CP8, key loading and reading operations are automatised, hence operators 
need not read, or write, or punch them. The values of the keys remain secret. 

- Another manner to prevent problems during keys transportation is to suppress 
this operation. Two accorded CP8 cards (same secret and same Telepass 
Algorithm) are able to generate two equal secret numbers, given a common unse- 
cret one transmitted on the line. 
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These two equal numbers can attack at both sides directly the cryptologic 
equipments, or a pseudo ramdom numbers generator connected to it. 
This procedure is limited to symetric key systems. 

- Transmission of keys can be done by ciphered ways, using CP8 as ciphering and 
deciphering systems at the both sides. 

In this case the CP8 card contains simultaneously the ciphering or deciphering 
key (the secret pattern in the secret zone of its PROM) and a reversible algo- 
rithm (written in its ROM). 

Operating the cryptologic cards can be under the control of habilitation 
cards. 



CONCLUSION 



The CP8 smart cards security characteristics have been recognized and are now 
currently used in many applications such as points of sale, home banking, logi- 
cal access control, portable file, physical access control, toll services... 

Their use in crypto! ogy begins now first at key management level, but will in- 
crease in the future by dealing with data requiring more processing power in or- 
der to execute quicker more sophiticated algorithms. 



ESTIMATION OF SOME ENCRYPTION FUNCTIONS 



IMPLEMENTED INTO SMART CARDS 

H. Groscot 
76, rue A. Briand, 93220, Gagny, France . 

Abstract . 

We study a family of encryption functions , wich is particularly 
adapted for the situations that arise in smart cards . 

Probabilistic arguments show us that "big key" is not synonymous 
of "good security" for these functions . 

We think that the security of such functions has to rely on other 
criteria . 
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I. GENERALITIES 

1 . About protocols using smart cards . 

The interest of smart cards not only lies in their intelligence 
but their security performances concern us as well . These allow the 
implementation of encryption functions , in order to perform authentica- 
tion procedures, as those needed in long-distances payments or in chec- 
king acces control to buildings . 

In this paper, we first show on a small example that smart cards al- 
low us to design cryptographic protocols . In this example, it is as- 
sumed that the cards are issued by an organisation on business purpose 
and may accomplish long-distances operations . 

They contain an encryption function ^ depending on a secret key 
S, wich is the same in all the cards . 

Before each transaction with a customer at a sail's point, one has 
to be sure that the customer's card is a valid one, therefore contains 
|J and S. So one connects the sail's point to a central by means of a 
telecommunication network. This central has a valid card and a pseudo 
random generator at his disposal. 

After the insertion of the card in the terminal of the sail's point 
it is proceed as follows: 

a. The card sends any message to the center . 

b. The center sends a random message E back to the card . 

c. The card computes y s (E) and gives the result back . 

d. The center computes yg(E) by means of its card and compares it 
with the customer's result . 

e. The communication is refused if the results are both different . 



CD 




figure 1 



472 



This is just a simple example; but it is possible to design a simi- 
lar protocol where each card has a different secret key, i.e. depen- 
ding on a P.I.N. , N . Here, the card has to send N in the phase a of 
the protocol . It is also possible to add a password for the user , so 
that one can authenticate a valid card and its legal user . 

Let's remark that all these protocols don't use the inverse func- 
tion of if it exists . 

2. Introduction to the functions studied in this paper . 

We have just seen that it is important to device one-way encryp- 
tion functions for smart cards . The problem with these new objects 
is that their ROM, wich contains the software (i.e. the code of the 
encryption function ^ ), is relatively small . We have to design 
"simple" functions that are "complicated" enough to be secure ! On 
the other side, the RAM is exceedingly small. We are interested in al- 
gorithms that, at any step of the computations, load the smallest part 
of the data as possible in this RAM . 

Here, we describe a family of functions that satisfy these requi- 
rements. We shall see that these functions can accept very big keys. 
Therefore we shall study the security of these functions in term of 
the length of these keys . 

II. THE FUNCTION 
1 . Description . 

The set 3M of messages that we consider includes the plaintext and 
enciphered messages . Let k be a smaj 1 number (i.e. k = 8) and let 3C 
be the set of k-bits blocks . 

We first start considering a family of functions «„, K e 3K, from 
M to 1M These functions are supposed to be easily implemented 

and they use a little key, but we do not ensure that they are bijec- 
tive . 

Now we choose an integer n , and S = (K ,...,K ) e K n and we set 

Ks =a; K n °--- 0aJ K 1 • 
The implementation of ^ uses a little more instructions that the cj 's 
one and its key can be as large as desired . Moreover, each step of the 
computation of -£(e), E«3M, consists of a calculation of co and so, uses 
only a small part of the key S . 
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2. The problem . 

We have to keep in mind that the user of a card will eventually 
compute as many encrypted messages ^ g (E), E e K, as he wishes . So a 
first question is : 

"Is it possible to guess the secret key S from a big amount of cou- 
ples (E, }j s (E)) where E 6 H ?" . 

However, it is easy to request that the cards compute ^s^ E ^ if 

and only if E has a definite standard form (i.e. the last byte of E 

8 

represents the current year modulo 2 ). Then, the opponent user will 
have to choose the messages E in a subset >1' of standard messages 
of B , In fact, it will be seen that, if the functions cj are not bi- 
jective and satisfy some reasonable hypotheses, the following question 
has an affirmative answer : 

"Is it possible to guess the secret key S by means of a big amount 
of encrypted messages ^ S ^ E ^ where E e 3M' ?" . 

3. Notations and hypotheses . 

The notations concerning JM, 3M', 3K, and ^ are kept on . 
As CJ is a "little" cipher function, its program uses a "small" 
flow chart. It is therefore possible to go backward on it so that we 
have a relatively fast algorithm, with a mean running time of T, wich 
gives for each (F,K) £ Hxl the list of all the E in H such that 
w (E) = F. By means of a spanning tree algorithm, we determine and de- 
fine the following numbers and sets : 

A K (F) = (Eel, <^ K (E) = f] 

A-K K (F) = [e SUM, cu o...oco (E) = F \ , 

K m , ...,K 1 I m 1 

Xj^E) = Card A^E) , 

(E) = Card A^ (e) 
^m K 1 ^m* ■•• ,K 1 

The functions X.. and X_. have to be considered as random 

m'**" 1 

variables on the set 1M . The hypotheses that are given 

below give a reasonable model for ^ . 

(H1 ) The random variables X^ f K e 3C, are pairwise independent and 

have the same law as an integer random variable Y . 
We set, for every n e TJ, p^ = Prob (Y = n) . 

(H2) The number p Q is not null . 
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(H3) Let K, L be in K . Let' s suppose that F and G are randomly 

and independently chosen in 3M so that c^„(f) = <y (g) = E . On 
the one hand, there are no a priori correlations between X^(f) 

and X^(g); on the other hand there is no correlation between X^(f) 
and ^(E) . 

(H*0 Let K lf ...,K m ,L be elements of K . If E is chosen randomly 

in 3M and if F is selected at random in (e), there is no 

correlation between X, (f) and X_, (e) . 

(H5) 

It is recalled here that the smart card accepts to perform the 
computation of ^ g (E) if and only if KfJC , Moreover it is as- 
sumed that the law of X^., KfeK, is the same on H 1 as on 3M . 
.'(H5) Thi s is a technical hypothese that says that p is not null . 

Some remarks . 

a. The hypotheses H2, which is obviously satisfied when <y is not bi- 
jective, gives the start point of the search of the key S . Let F , in 
Jj" s ( H) ,be such that X L ( F ) = °» where L & 3C; then one clearly has 

L 4 . That gives a way to through little blocks of keys away . 

b . The hypotheses H1 , H3, H4 are sound because CJ is presumed to mix up 
the bits contained in E and K . Moreover, an unsuspected dependence , 
which could invalidate one of these hypotheses, could as well result 
in a new way of attack against the secrecy of S . 

c. The hypothese H6 is not fundamental but the search of S is faster 
with it . 

d . The main task of H5 is to prevent the kind of attack where one 
chooses many E in JM and then analyses the so obtained couples 

(E, ^ s (e)) . It is possible to show that, if H5 is false, such a search 
of S is very easy for the owner of a card . 

k. Study of the random variables X^ 

TC [n ,...,K 1 - 

It is deduced from the hypotheses H1 , H3, Hk that for every m e N* 

and (K.,...,K ) 6 3C m , the random variables X^ have the same 

1 m ft , . . . , ft.^ 

law as a variable that will be noted Y , from now on . The law of 

m 

Y is deduced from Y , as follows : 
m m— 1 

"Y is the sum of Y , independent variables with the same law as 
m m— 1 

Y n 

Let f be the generating function of Y, and f be the one of Y . 

1 m m 

The end of the paragraph III. 15 of "Calcul des probabilites" of Renyi 
(Dunod) gives : 

Pr oposition 1 . The functions f satisfy f . = f of, for every m 6 U*. 
r m *- m+1 m ■* *• 
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a. 


For 


every m e DN* 




The 


series Prob 






1 - Prob (Y 


c. 


For 


every £ "> 0 . 


m 


If* 


one has : 



Let <s be the standard variation of Y and, for every r.v. Z, let e(z) 
and 0" (z) stand respectively for the mean value and the standard va- 
riation of Z . The proposition 1 allows us to study Y and we obtain 

in 

the following assertions : 
Proposition 2. 



. 2 

m 



Prob (Y = 1) > c/m 2+£ 
Demonstration . 

First we compute E(Y^ ) . To do this, one has to compute eC^jj) where 
K is any element of ~SL . The numbering- of JM gives 

Card H = ^ k. (ProbfXg. = k) . Card 1A) , 

and Z— ^'Pjj = 1 • Therefore we have E(Y 1 ) = 1 . Then, it is easy to see 
that 

E(Y m ) = E(Y 1 ) m = 1 . 

The calculation of <r(^ m ) is done recursively on m . We use the 
following formulas : 

<r 2 (V = f"0) + f'O) - f(i) 2 = f(i) , 
f;(0 = i , 

f m ( z ) = t«(*).t^(£(*)) + f{x).r^(r(z)) , 

we obtain : 

and one has the part a of the proposition . 

Now the series (f m (o)) is strictly increasing and has 1 as limit 
In order to obtain b, one shows the following fact: 

For every £>O f there exists an M 6 3N such that, for every m > M , 
one has 

er 2 / 1 / cr 2 

zTi m <■ i-f (o) < ?=i m • 

Let m be an integer and set a = 1 - f m (°) • From the Taylor formu- 
la, there is a real £)6jo,l(^ such that 

2 

f(l - a) = 1 - a + f " ( 1 - 0a) . 
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Therefore 



1 1 1 f(l-Ba) 

1-f , (0) ~ 1-f (0) 2 a , „ n 

m+1 v ' m v ' 1 — r f^l-Paj 



2 

The right hand side is a continuous function of (8, a) that takes the 

2 

value cr /2 at (0, O) ; therefore there exists an integer such that 

the left hand side lies in the interval ~\<T Z 1 ( 2+ £/2) , <r 2 / ( 2- S/2 ) [_ for 
every m > . That gives b to us . 

The demonstration of c starts from the following formula ; 

f m (o) = f(f m _ 1 (o))...f(f 1 (o)).f(o) , 

which is a consequence of the proposition 1 . Because of the hypothese 
H6, this term is not null . One uses the estimation of f k (o) just giv- 
en to apply the Taylor formula at f'(f k (0)) . One has then to find a 
lower bound for the following product 

(1 - a/k) 



V-K' 



k=b' 

where a = 2+£ and b > 0 . This last product is equivalent to 
rfb + l ) a 

r(b-a+i) n 

(use the Stirling formula) , and one can conclude . 

We end this section with the study of the random variables 

*K K ° ^S* where m £ n • Let Y m ° y be that variable . It is met 

n' " * * ' n-m+1 

when one takes E 6 1M' at random and then computes F = ^g(E) by means 

of the card to observe jL. v (f) 

a\ ■••••ft. , 
n n-m+1 

Proposition 3. For every r IN, one has 

Prob (T o V = r) = r.Prob (X = r) . 
m 0 ' v m ' 

The generating function of the r.v. Y m °Jj i£ z > * z **n/ z ^ * 

The second assertion is directly deduced from the first one and 
gives with the proposition 2 : 

Corollary . 



a. For every £ > 0 , there is a constant c > 0 such that, for every m 
one has 

2 + £ 



m 



Prob ( X m O % = 1 ) > c/ 
b^ E(¥ m o ^ ) = 1 + m <T 2 

In order to show the proposition 3, w e have to give an estimation 
of Prob {^ m °(j - r ) • First we start numbering the elements x fe 3M 
such that Y m (^ ( x )) = r ► which is the same as to sum the Y n (y) whe- 
r* y $ H and T (y) = r . Therefore 
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Prob (To = r) = * — /> 1 7 1 

Card*. fj^ t- WtTm ( y ) =r , Tn ( y ).i 

l.Prob (T = r and T = l) 

= 2 l.ProbfY = 1 T = r).Prob (T = r) 

^ v n m ' m 

Let's keep in mind that T and T represent respectively „ 

n m H i * » 1 1 

and X. v . Therefore Y is the sum of r independent r.v. 

n* * * " n m+ 1 n 
with the ~ same law as 7 when it is known that T = r . 

n— m ra 

The conditional mean value if T is then equal to r when Y = r . The- 

n ra 

refore , we obtain the proposition 3 • 



5. The search of the key . 

It is shown here how some elements of cj^( 3M ) can be used to find 
L ; wich directly applies to search K q . Let ( F i )^ De a random series 
of elements of IM and, for every L e K, let J(l) be the smallest index 
i such that X^(F^) =0 . The mean value of J(l) is 1 /p Q . 

Let h be an integer and L ^...(L^ be elements of UK . We suppose 

that we have chosen the F. in O). ( ]M' ) , for some unknown L-6 K » vhe- 

J '-q u 

re L Q ^ L i i h) . ¥e want to guess that L Q £ L ± , using the mini- 

mum number of F^ . Let J be the maximum of the values j(L 1 ) , . . . , J(L^) . 
We know now that, for every L^ if we compute (Fj),..,^ (f^),... , 
there will be some J such that (Fj) = 0, with 1 j £ J . So 1 we can 

eliminate L^ with less than J tries (cf. the remark after the bypothe- 
se H2) . If we compute, for every F^ the vector (^f^lljf K » (re- 
member that K is a relatively small set), J vectors are enough for 
the elimination of all the L. ( 1 ^ i ^ h) . An easy computation 
shows that the mean value of J is 0(Log h) . 

Now, the search of the key S is done step by step . 

To find K n , as we have ^J s ( 3M')ctJ R ( ]M) , we pick at random messages 
Fe 3M') and, for every such F, we compute the vector (Xg(F)) K . We 
through each K such that ^(F) = 0 awa Y • This elimination process is 
complete after o(Log Card K) = 0 (k) vector computations . 

Now let m ^ n ; the main difficulty here is to find random messages 

F £W„ ( . We proceed recursively and we suppose that K n » • » K n _ m+ i 

n-m 

are known . First of all, we look for messages E e 3M' such that the 



set A„ v (Vo( £ )) 11213 exactly one element F . The corollary 

, • • • , K Ob 

of the n proposition 3 says that we must perform a mean value of 
0(m 2+ ^) tries to find such a message . We then apply the above mentio- 
ned method at about 0(k) messages F to find K 
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Figure 2. 
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then K I K 
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Before giving the result of this paragraph, we have to perform the 
estimation of the mean number of operations needed to compute ^m°$s 
at any E 6 3M . Let G be the mean number of operations needed to com- 
pute cj ; ^ s (e) needs about nG operations when computed at any (E, S) 
in 3Mx K n . Let ' a remember that the mean number of operations needed 

for the calculation of Y, is T . To obtain » » 

1 -K n , ...,K n _ m+1 (FJ f one 

has to develope a tree whose depth is m . The root, of depth 0, is 

F; the sons of every node of depth p are its antecedents by cJ j, . 

Every node F' of depth p induces the calculation of an A^(f), n ~ P 

which means about T operations . The mean number of these nodes is 

E (X o V ) =0 (m 2 ) . Therefore 0 (m 2 T + nG) operations are appro- 
p= i p o 

ximately needed to compute To)/. 

m 0 

« 

Figure 3. , • * 
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Now, we apply these results and the corollary of the proposition 3 
with £ s 0.1 to conclude this paper with the following proposition : 

Proposition 4. With the above mentionned hypotheses , there exists an 
algorithm that allows the owner of a smart card using ^ , who is allo- 
wed to compute enciphered messages of 3M' at will , to find the secret 
key of ^ with a mean number of 

0 ( kTn 5 * 1 + Gn 2 ** 1 + k2 k Tn ) 

operations . 
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I - INTRODUCTION TO SMART CARDS 

According to ISO (international Organization for Standardi- 
zation), an IC (Integrated Circuit) card is an ID (identification) 
card including in its thickness (.76 mm) one or more integrated cir- 
cuits. 

An IC card is "smart" when the integrated circuit is a mi- 
croprocessor, with processing power combined with permanent storage 
capacity. The operating system in the microprocessor controls and ma- 
nages all the accesses to the electrically programmable memory. 

1.1 - Chip design 

The first step in the design of a dedicated chip for smart 
cards is to choose some central processor unit and some EPROM techno- 
logy (such as UV-erasable REPROM, and soon, single voltage EEPROM). 
The CPU must be redrawn in the EPROM technology. 

The design of the buses must allow EPROM self -programming 
under control of the operating system in masked ROM. Various traps and 
mechanisms must be introduced to increase physical security and to fa- 
cilitate tests during the manufacturing process. 

The CP8 chip, till now the only one in the world, is manu- 
factured by MOTOROLA Inc. in GLASGOW (SCOTLAND) under licence by BULL 
CP8 established in LES C LA YES SOUS BOIS (FRANCE). This chip is descri- 
bed here as an illustration : a 6805 CPU, 1.6 kbyte masked ROM, 1 
kbyte EPROM, 36 bytes RAM, 18 mm 2 . 

The operating system is masked programmed, so that the same 
production line provides chip for various applications, and that new 
applications are easy to develop. 

In the future , new chips will appear in order to reduce pri- 
ces and to increase performances ; but due to interface standardi- 
zation, remote controlled terminals will not become obsolete. 
And moreover, chip evolution can keep the security features one or two 
steps ahead the efforts of them trying to defeat them. 
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1.2 - Card interface 

Smart cards are intended for transactions negotiated between 
the outside and the microprocessor through the interface. 

Only six electrical contacts are required in the French pro- 
posal presented "by AFNOR (Association Francaise de Normalisation) to 
ISO. While suitable signals are provided by the outside on five con- 
tacts : GND (Ground), VCC (power supply), VPP (programming voltage), 
CLK (clock), and RST (reset), information may be exchanged in half- 
duplex asynchronous mode on the sixth contact : I/O (input / output). 
In its answer to reset, the card instructs the outside in its perfor- 
mances, its conventions and its nature. 

A transaction with the card consists of the successive ope- 
rations : activation of the contacts, reset of the card, processing of 
one or more instructions, deactivation of the contacts. As a result of 
a transaction, the card modifies its content (data storage, event 
memorization,...) and/or delivers information (stored data, computa- 
tion results,...). 

An instruction (always initiated by the outside through I/O) 
tells the card what to do in a 5-byte header (AFP- INS -A 1 -A2-L) and al- 
lows the transfer of one block of data (D1-D2... DL) in one direction 
under control of procedure bytes from the card. The header consists of 
the application name (APP), the instruction code (INS) completed by a 
reference (A1-A2), and the length (L) of the block of data. Procedure 
bytes allow the card to manage the programming voltage and to control 
the data transfer. 

1.3 - Security 

Smart cards have security features that only a computing de- 
vice could provide. The transactions are negotiated between the out- 
side and the internal microprocessor. The passive cards with magnetic 
stripes and digital optical records do not have such properties, like 
complex choices. 

The physical security relies upon the impossibility to modi- 
fy the operating system in the masked ROM, and upon the difficulty to 
read secrets in the protected memory : a clever chip design increases 
significantly the physical security of the cards. 

The logical security relies upon the processing power of the 
chip and upon the cryptographic algorithms used in the application : 
the operating system must be written very carefully. An improved pro- 
cessing power may increase significantly the logical security of the 
cards . 
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Absolute security does not exist, for smart cards no more 
than for other computing devices. So in a new application, the desi- 
gner must consider the consequences of successful violations. The se- 
crets in a user card must be individualized, tied to the card iden- 
tity ; a card violation results then in an attack against one user not 
endangering the whole system. 

2 - SMART CARD APPLICATIONS 

Smart cards are portable information carriers with three 
fundamental aims : 

- Secure memorisation in the card - destruction of the cor- 
responding writing mechanisms prevents further alteration of recorded 
data. 

- Personalized memorisation in the card - confidential codes 
recorded in the EPROM memory and checked by the card itself allow ope- 
rator recognition by the card. 

- Cryptographic computation in the card - cryptographic al- 
gorithms described in the operating system are executed under control 
of secret keys recorded in the EPROM memory. 

Depending on the leading aim, smart card applications can 
thus be divided into three classes : log books, certified records, key 
carriers. 

2.1 - Log books 

First aid efficiency should be considerably improved by re- 
liable and convenient personal medical files. A user code is not re- 
commended in case of emergency. 

Student cards are being experimented at PARIS University. 

Such cards can be used as repairment and maintenance note 
books for vehicles : cars, planes, trucks, ships... 

2.2 - Certified records 

Confidential codes control the life of such cards : manufac- 
turer code, issuer code, user code. When an incorrect code has been 
entered three times in a row, even on different terminals, the card 
locks itself preventing any further operation. 

The card tests its availability and its purchasing power 
before recording a new operation (date and amount). The banker will 
consider a readable card as a begin of proof in a settlement of dis- 
pute between a user and a retailer. 
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2.5 - Key carriera 

Assuming chip inviolability and cryptographic algorithm se- 
curity, the holder cannot get a copy of the keys recorded in his 
card. A highly secure identification of the hearer is achieved through 
use of cryptography to defeat fraud, and through use of confidential 
codes to defeat theft. Key carriers are particularly suitable in con- 
ditional access to services, to resources, to selected areas... 

5 - CONDITIONAL ACCESS 

In conditional access, a key carrier card materializes au- 
thorizations : the holder can use the card, but the card itself re- 
mains under issuer ownership. 

Each authorization is an entitlement. A remote controller, 
through an insecure transmission line and an insecure domestic termi- 
nal, can securily negotiate a transaction with the card : 

- VERIFY the validity of an entitlement, 

- DEVALORIZE an entitlement either on a substractive basis 
by consuming a credit, or on an additive basis by storing a debit, 

- VALORIZE an entitlement, either by delivering credits, or 
by clearing debits, 

- ENTITLE, by delivering a new entitlement. 

The transaction negotiated through the card interfaceinclu- 
des an instruction requesting a cryptographic computation by the 
card. An important distinction is made between transactions to check 
entitlements (VERIFY, DEVALORIZE), and transactions to manage entitle- 
ments (VALORIZE, ENTITLE). This description of conditional access is 
influenced by the work of EBU (European Broadcasting Union) on Direct 
Broadcasting Satellite. 

3.1 - Entitlement checking 

An entitlement checking transaction is used to verify or to 
devalorize an entitlement. The aim of such a transaction is to deliver 
control words. The cryptographic computation during such a transaction 
is executed with an authorization key. 

An authorization key is common to a group of customers for a 
limited time. The usage of such a key may be restricted by additional 
parameters to be compared with the authorization status in the card. 

Authorization keys encipher control words. The corresponding 
cryptograms are known as the verification signal. 
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Depending on the application, control words may be sent back 
to the remote controller for verification, or used in the terminal as 
cryptographic keys. 

3-2 - Entitlement management 

An entitlement management transaction is used to valorize or 
to entitle. The aim of such a transaction is to increase the value of 
a card. The cryptographic computation during such a transaction is 
executed with a distribution key. 

A distribution key is unique to each card, or a very small 
group of cards. The distribution keys belong to the card issuer ; they 
allow the management of distributed authorizations owned by the card 
holder. 

A distribution key enciphers individual customer messages 
and/or authorization keys. The corresponding cryptograms are known as 
the validation signal. 

3.3 - Implementations 

In access control through interactive networks to services 
or resources (videotex, public telephone, data networks, teletex, fi- 
les and' computers...), the control word can be sent back on the line 
to prove user's right to access, or used by the terminal to decipher 
subsequent data. 

In conditional access to broadcast services, the control 
word must be used in the decoder, according to synchronisations, in 
order to descramble the service components (video and sound, teletext 
pages, various data...). 

The entitlement management can be done over-the-air by ad- 
dressing through a broadcast signal, as well as on-line through swit- 
ched networks. The management can also involve other networks like 
mail or banks. 

4 - A CP8 CARD FOR CONDITIONAL ACCESS 

Conditional access key carrier cards are now manufactured by 
BULL CP8 : the specifications were elaborated for application to 
ANTIOPE teletext ; but these cards are now proposed for pay-TV, for 
taxation of videotex databases, and for identification purposes in so 
various fields as public telephone, computers, and selected areas. 

The card may carry up to thirty two authorizations consis- 
ting of an authorization key (127 bits), an identifier (24 bits), and 
a status (variable in size and structure) . 



486 



4.1 - Mode of operation 

In the instruction requesting a cryptographic computation, 
the block of data given to the card consists of an identifier (24 
bits), a parameter (24 bits) and a cryptogram (127 bits). 

The identifier names the authorization concerned by the 
transaction. The status of this authorization must be compatible with 
the parameter. For example, when the authorization is a subscription, 
the date indicated in the parameter must lie in the interval (validity 
date and period) indicated in the status. 

When the conditions are verified, the card performs the com- 
putation : a result (61 bits) is obtained from the cryptogram (127 
bits), the parameter (24 bits), and the secret key ( 1 27 bits). 

During an entitlement checking transaction, on an instruc- 
tion requesting the result, the outside gets the control word as a 
8-byte block. The authorization status is modified or not depending on 
the operation : a devalorization or a verification. 

During an entitlement management transaction, the card must 
apply the distribution key (varying from one card to another) . The 
card checks the result ( the four first bytes must be equal to the four 
last bytes) , and modifies the status of the designated authorization. 

4-2 - Card elaboration 

Chips still on the wafer are tested by a dedicated machine 
writing a serial number and a manufacturer secret code in each valid 
chip. Testing points are then destroyed, thus definitely disabling in- 
valid chips. This operation is known as chip creation. 

Thereafter chips are cut and inserted in ID cards. The card 
issuer then writes in each card a distribution key computed from the 
chip serial number. The issuing secret function may be materialized by 
another card. This distribution key must be correctly used to write 
any other secret in the card, and to manage authorizations in the 
card. Assuming the secrecy of the issuing function, only the card is- 
suer can do these operations : he will really control the card life. 

The card is now ready to receive authorizations. A wide va- 
riety of card life scenarios can be prepared during the card configu- 
ration. 

After these three successive operations (chip creation, card 
issue, card configuration), the cards are distributed to the public. 
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5 - SMART CAEDS AND CRYPTOLOGY 

Cryptographic algorithms are essential in conditional ac- 
cess. But widely known algorithms does not fit the CP8 chip : 

- a 36 byte RAM is sufficient for the DES, hut the microcode 
size is about 1.6 kbyte which is the size of the masked ROM. 

- with a 36 byte RAM, one can compute exponentials modulo a 
composite number up to ninety bits. So a 128 byte RAM is a minimum to 
implement a medium security RSA scheme, with 320 bit composite num- 
bers. And a 192 byte RAM is hoped for a good security. 

5.1 - Actual algorithms 

- A first algorithm (one-way, 200-byte microcode) is known 
as TELEPASS. A result R (64bits) is computed from secret key S (96 
bits), data I n (32 bits) stored at address n, and input E (64 bits). 

R = P (S, I n , E) 

This first algorithm is used to remotely verify rights and 
identity claimed by a card, and to remotely verify the writing of some 
information at the right address in the card. 

- A second algorithm (inverting another algorithm; 300-byte 
microcode) is known as the double-field algorithm. A result K (61 
bits) is computed from a cryptogram M ( 1 27 bits) and a secret key C 
(127 bits) modified by a parameter P (24 bits). 

K = g (C + P , M) 

Inversibility is essential : in a broadcast system, the same 
control word is described by as many entitlement checking messages as 
there are audiences authorized to access the information. For example, 
the same movie may be accessible by impulse-pay-per-view as well as by 
subscription, or by a prepaid ticket. 

Inversibility is essential also to ensure entitlement mana- 
gement : enciphered personalized directives may be addressed to an 
identified card. 

- A third algorithm (invertible, 200-byte microcode), also 
named TELEPASS, has been prepared for the new bank card specifica- 
tions. This algorithm allows the introduction of key carrier philoso- 
phy in the bank cards. 

The evolution will strengthen these algorithms. But a ques- 
tion is opened : what is the most complex algorithm on a 6805 CPU with 
the performances : 200-byte microcode, 30-byte RAM, a half second exe- 
cution time ? 
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5.2 - Identity certificates 

Improved card personalization is obtained by recording iden- 
tity certificates in the card. 

Such a certificate (a 320-bit RSA scheme in IPSO bankcards 
used on public telephone) is computed by applying a signature function 
(take the cubic root modulo) to the concatenation of chip serial num- 
ber (50 bits), subscriber identifier (50 bits), various codes (60 
bits) , date and period of validity (40 bits) , completed by some easily 
checked redundancy (120 bits). 

Any remote or local controller can verify the genuineness of 
identity certificates by applying the verification function (raise to 
the cube modulo). Forgery being computationally infeasible, black 
lists on serial numbers and user identifiers are then very efficient. 

5.3 - Some reflexions 

The actual key carriers allow only pseudo off-line systems, 
veil fitting hierarchical situations with a central authority, such as 
a computer and time- sharing terminals. 

In IPSO payment experiments, the main proof remains inside 
the card. Computation results may be stored by the retailer in order 
to certify records in the card, but only the authority can check the 
genuineness of such results. There is an important parallel with arbi- 
trated signature schemes. 

6 - TOWARDS DIGITAL SIGNATURES 

Secret functions of a public key cryptosystem can play two 
parts in an electronic mail environment : 

- regenerate the control word deciphering the subsequent message. 

- sign an authentication code added to the message. 

But in both cases, the security of the secret function is 
essential ; if this function is materialized by a key carrier card 
with a good level of physical security, the legitimate holder himself 
has the greatest difficulty to get a copy. 

Depending on the main part played by the secret function, 
such a key carrier can be seen : 

- as a paper-knife, opening the protection envelope, 

- or as a signature stamper, certifying the letter. 

Such smart cards are now under investigation ; and this evo- 
lution will lead to off-line systems and digital signatures. 
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6.1 - Scenario for electronic payment 

- 1 - The user controls the parameter generation on some 
domestic device producing random primes under additional conditions so 
as to construct a composite number. In the example, the composite num- 
ber has the special form N = 2 4X + K, with 2K 2^ x K. So the 
240-bit K describes the 321 -bit N. 

The prime factors are recorded as secret parameters in a 
stamper : a key carrier card dedicated to signatures (take the cubic 
root modulo N). And the value K is recorded as a public parameter des- 
cribing the verification (raise to the cube modulo N). 

- 2 - The banker tests the stamper produced by the 
user. He computes a stamper registration by applying his own signature 
(take the cubic root modulo a 512-bit number) to the concatenation of 
the public value K (240 bits) given by the stamper, the user identi- 
fier (50 bits), the bankcard serial number (50 bits), date and period 
of validity (40 bits), various codes (60 bits), and an easily checked 
redundancy (72 bits). 

The banker issues the bank-card by recording in it the stam- 
per registration. 

- 3 - The retailer checks the stamper registration by 
applying the bank verification (raise to the cube modulo the 512-bit 
number published by the bank), thus regenerating the user's public va- 
lue K. The retailer consults the black lists on card serial numbers 
and on user identifiers. The user stamps the financial operation (date 
and amount) , thus producing a signature easy to check by raising to 
the cube modulo 2^20 + k. 

The electronic check thus consists of two informations : the 
stamper registration (issued by the banker), and the operation signa- 
ture (issued by the user). Such a check can be efficiently checked at 
each step in the clearing circuit between banks. 

7 - CONCLUSION 

The current needs concerning new services, dedicated to bu- 
siness as well as opened to the general public, are secrecy, discre- 
tion, identification, authentification, certification, signature, at- 
testation, confirmation, acknowledgement of receipt... GARANTIR is the 
French word that best describes all these concepts. It requires only a 
-step further to create a new word : "garantics" to say "implementation 
of security in new services". 

Cryptographic algorithms, security protocols, smart cards 
are the basic tools of garantics. 

Let us keep in mind : the more our countries are computeri- 
zed, the more bank frauds, economic sabotages, and industrial spying 
are prejudicial ! 
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